Lab 97 — UptimePulse — SSRF Chain to RCE via Cloud Metadata

hackadvisor

Task: UptimePulse monitoring platform with URL health check feature protected by IP blocklist. Solution: Bypass IP blocklist using IPv6-mapped IPv4 address [::ffff:127.0.0.1], steal IAM credentials from cloud metadata service, then achieve RCE via internal management API.

ssrf rce nodejs nginx express decoy_flag internal_service_discovery ipv6_mapped_ipv4 cloud_metadata iam_credentials aws imdsv1 ip_blocklist_bypass

honeypot_flag_detectioninternal_port_scanningcloud_metadata_credential_theftssrf_ip_blocklist_bypassipv6_mapped_ipv4_address_bypassmanagement_api_rce

$ ls tags/ techniques/

ssrf rce nodejs nginx express decoy_flag internal_service_discovery ipv6_mapped_ipv4 cloud_metadata iam_credentials aws imdsv1 ip_blocklist_bypass

honeypot_flag_detectioninternal_port_scanningcloud_metadata_credential_theftssrf_ip_blocklist_bypassipv6_mapped_ipv4_address_bypassmanagement_api_rce

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 256 — UptimeRadar — SSRF via URL Health Check— hackadvisor
[web][Pro]Lab 92 — EventPulse — SSRF via IPv6 Bypass in Webhook Verification— hackadvisor
[web][Pro]Lab 322 — NetPulse — IP Spoofing to RCE via Polling Agent API— hackadvisor
[web][Pro]CloudPulse — OAuth CSRF Account Takeover via Missing State Parameter— hackadvisor
[web][Pro]CloudPulse— hackadvisor