webProhard

Тссс, 9.2.2.3!

hackerlab

Task: Express 'Site Tester' headless-Chrome scraper with SSRF (stats-only oracle, http/https only). Solution: title 9.2.2.3 = CDP port 9223; host CSP-free attacker JS, fetch CORS-readable /json, open page-level CDP WebSocket, Target.createTarget(file:///app/flag.txt) + Runtime.evaluate to read and exfiltrate the flag.

$ ls tags/ techniques/

ssrf file_read nodejs express headless_chrome websocket cdp chrome_devtools_protocol remote_debugging_port csp_artifact port_in_title cors_readable_cdp

ssrf_internal_port_scancdp_json_endpoint_cors_readcdp_page_websocket_from_browser_jstarget_createtarget_file_readruntime_evaluate_exfilcsp_false_negative_pitfall

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]РоБОТЫ 2— bug-makers
[infra][Pro]Основа (Foundation)— hackerlab
[web][Pro]Странный сервер (Strange Server)— hackerlab
[web][Pro]Провальный код (Failed Code)— hackerlab
[infra][Pro]Кто там?— hackerlab