We covered practical examples of bypassing domain redirection restrictions. In the first example we used a Webhook to render requests that call a function used to execute system commands. The second example, we used bypass techniques to redirect the webpage into different paths that reveal sensitive files. This was part of HackTheBox RenderQuest & ProxyAsAService web challenges.
ProxyAsAService
Experience the freedom of the web with ProxyAsAService. Because online privacy and access should be for everyone, everywhere.
Highlights
In RenderQuest challenge, we used a webhook to create a custom request that calls the function FetchServerInfo that’s used in the main code file main.go.
In the request, we included the following payload: {{FetchServerInfo “ls -la”}} which retrieves the contents of the current directory. We carried on with other commands to retrieve the challenge flag.
In ProxyAsAService challenge, we manipulated the url parameter and used the @ payload followed by the local address so that the payload looks like: url=@0.0.0.0:1337/debug/environment.
The above payload triggered the function responsible for printing out the environment variables which included the challenge flag.
Video Walkthrough
Video tutorial for HackTheBox RenderQuest & ProxyAsAService is coming soon
The last part with ProztAsAService whennu randomly used the ‘@’ symbol could dude an explanation of why the hell that worked.
Cuz that was weird and confusing an