webPromedium

Lab 406 — PingRelay — Prototype Pollution to SSRF via CRLF Header Injection

hackadvisor

Task: Express webhook platform with a settings API that deep-merges arbitrary JSON (prototype pollution) and a custom raw-socket HTTP adapter that emits headers unsanitized. Solution: pollute Object.prototype with a header whose value contains CRLF, smuggling a second HTTP request over the keep-alive socket to reach the gated /internal/credentials endpoint on localhost:3001 via full-read SSRF.

ssrf nodejs nginx prototype_pollution express crlf_injection http_request_smuggling webhook internal_api honeypot_flag deep_merge raw_socket_adapter full_read_ssrf

honeypot_flag_detectionprototype_pollution_via_deep_mergecrlf_header_injection_via_protohttp_request_smuggling_over_keepalivessrf_via_webhook_deliveryinternal_admin_api_access

$ ls tags/ techniques/

ssrf nodejs nginx prototype_pollution express crlf_injection http_request_smuggling webhook internal_api honeypot_flag deep_merge raw_socket_adapter full_read_ssrf

honeypot_flag_detectionprototype_pollution_via_deep_mergecrlf_header_injection_via_protohttp_request_smuggling_over_keepalivessrf_via_webhook_deliveryinternal_admin_api_access

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups