PingForge

hackadvisor

Task: PingForge webhook platform with URL validation blocklist preventing SSRF to internal metadata service on localhost:3001. Solution: Bypass blocklist using IPv6-mapped IPv4 address (::ffff:127.0.0.1) to reach internal /credentials endpoint and extract flag from AWS IAM secret_access_key.

sqlite ssrf nodejs nginx express webhook ipv6 honeypot_flag url_validation blocklist_bypass ipv6_mapped_ipv4 metadata_endpoint aws_credentials

ssrf_via_webhookipv6_mapped_ipv4_bypassurl_validation_bypassinternal_service_enumerationwebhook_delivery_log_exfiltrationdecoy_flag_avoidance

$ ls tags/ techniques/

sqlite ssrf nodejs nginx express webhook ipv6 honeypot_flag url_validation blocklist_bypass ipv6_mapped_ipv4 metadata_endpoint aws_credentials

ssrf_via_webhookipv6_mapped_ipv4_bypassurl_validation_bypassinternal_service_enumerationwebhook_delivery_log_exfiltrationdecoy_flag_avoidance

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 6 — HookRelay — SSRF via IPv6-Mapped-IPv4 Bypass— hackadvisor
[web][Pro]Lab 347 — PushRelay — SSRF via URL Parsing Confusion in Webhook Tester— hackadvisor
[web][Pro]WebhookForge— hackadvisor
[web][Pro]Lab 91 — PingRadar — SSRF Filter Bypass via Open Redirect Chain— hackadvisor
[web][Pro]Lab 92 — EventPulse — SSRF via IPv6 Bypass in Webhook Verification— hackadvisor