Lab 341 — KeyVault2FA — SSRF via OTP Account Import

hackadvisor

Task: KeyVault2FA 2FA management platform with OTP account import that fetches icon URLs server-side without validation. Solution: Exploit SSRF via image parameter in otpauth:// URI to access internal config service on localhost:3001/flag, with non-image response body leaked in body_preview field.

ssrf php nginx internal_service decoy_flag honeypot_flag localhost otpauth image_fetch otp_import body_preview_leak

internal_service_enumerationdecoy_flag_avoidancessrf_via_otpauth_image_parameternon_image_response_body_leak

$ ls tags/ techniques/

ssrf php nginx internal_service decoy_flag honeypot_flag localhost otpauth image_fetch otp_import body_preview_leak

internal_service_enumerationdecoy_flag_avoidancessrf_via_otpauth_image_parameternon_image_response_body_leak

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 273 — AuthForge — SSRF via OAuth Dynamic Client Registration— hackadvisor
[web][Pro]Lab 288 — VaultPay — 2FA Bypass via Pre-Authentication JWT— hackadvisor
[web][Pro]Lab 23 — KeyVault Pro — IDOR in 2FA Device Removal— hackadvisor
[web][Pro]Lab 301 — VaultLine — 2FA Bypass via Rate Limit Evasion— hackadvisor
[web][Pro]Lab 354 — VaultAPI — JWT Authentication Bypass via JWE-Wrapped PlainJWT— hackadvisor