We covered practical examples of bypassing domain redirection restrictions. In the first example we used a Webhook to render requests that call a function used to execute system commands. The second example, we used bypass techniques to redirect the webpage into different paths that reveal sensitive files. This was part of HackTheBox RenderQuest & ProxyAsAService web challenges.

Get OSCP Certificate Notes

The Complete Penetration Testing with BackBox Course

CHALLENGE DESCRIPTION
RenderQuest
You’ve found a website that lets you input remote templates for rendering. Your task is to exploit this system’s vulnerabilities to access and retrieve a hidden flag. Good luck!

ProxyAsAService

Experience the freedom of the web with ProxyAsAService. Because online privacy and access should be for everyone, everywhere.

Video Highlights

In RenderQuest challenge, we used a webhook to create a custom request that calls the function FetchServerInfo that’s used in the main code file main.go.

In the request, we included the following payload: {{FetchServerInfo “ls -la”}} which retrieves the contents of the current directory. We carried on with other commands to retrieve the challenge flag.

In ProxyAsAService challenge, we manipulated the url parameter and used the @ payload followed by the local address so that the payload looks like: url=@0.0.0.0:1337/debug/environment.

The above payload triggered the function responsible for printing out the environment variables which included the challenge flag.

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles