webPromedium
Lab 388 — ModelForge
hackadvisor
Task: AI model management platform with 'Import Model from URL' feature (SSRF) and internal ForgeEngine API on port 3001 with Ollama-style modelfile support. Solution: Chain SSRF to discover internal API, create a model with ADAPTER directive pointing to /root/flag.txt, then export the model to exfiltrate file contents.
$ ls tags/ techniques/
ssrffile_readnodejsnginxarbitrary_file_readexpressdecoy_flaginternal_apiport_scanningmodel_importollama_style_modelfileadapter_directiveurl_import
decoy_flag_detectioninternal_port_scanningssrf_via_url_importinternal_api_enumerationarbitrary_file_read_via_model_adapterollama_modelfile_adapter_abusequery_parameter_injection
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 38 — PipelineForge — XXE in XML Pipeline Import— hackadvisor
- [web][Pro]Lab 351 — FlowForge — RCE via Python Code Validation Endpoint— hackadvisor
- [web][Pro]Lab 273 — AuthForge — SSRF via OAuth Dynamic Client Registration— hackadvisor
- [web][Pro]Lab 58 — ReportForge — SSRF via PDF Export Logo URL— hackadvisor
- [web][Pro]Lab 134 — DocForge — FreeMarker SSTI Sandbox Escape via ?api Built-in— hackadvisor