get flag 1

Overview

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

Enumeration

Home page:

View source page:

[...]
<h1>URL Form</h1>
<form action="/getUrl" method="get">
    <div class="form-group">
        <label for="url">Enter URL:</label>
        <input type="text" class="form-control" id="url" name="url" placeholder="Enter URL here" required>
    </div>
    <button type="submit" class="btn btn-primary">Submit</button>
</form>
[...]

As you can see, it’s a simple HTML form.

When we clicked the “Submit” button, it’ll send a GET request to /getUrl, with parameter url.

Let’s try to send something:

In here, our supplied URL is reflected to the web page!

Exploitation

Armed with above information, it seems like it may be vulnerable to SSRF (Server-Side Request Forgery)! Which means we can try to reach internal services!

Umm… What??

It should reach to the internal service on port 9001…

Maybe there are some filters??

If so, we can try to bypass that.

According to HackTricks, we can use the following payload to bypass it:

After some trial and error, this payload works!

http://127.1:9001/flag.txt

This payload 127.1 is the same as 127.0.0.1, which is localhost.

Nice! We got the flag!

• Flag: ictf{l0c4l_byp4$$_323theu0a9}

Conclusion

What we’ve learned:

1. Exploiting SSRF (Server-Side Request Forgery) & Bypassing Filters