We covered practical examples of bypassing domain redirection restrictions. In the first example we used a Webhook to render requests that call a function used to execute system commands. The second example, we used bypass techniques to redirect the webpage into different paths that reveal sensitive files. This was part of HackTheBox RenderQuest & ProxyAsAService web challenges.

CHALLENGE DESCRIPTION
 
RenderQuest
You’ve found a website that lets you input remote templates for rendering. Your task is to exploit this system’s vulnerabilities to access and retrieve a hidden flag. Good luck!

ProxyAsAService

Experience the freedom of the web with ProxyAsAService. Because online privacy and access should be for everyone, everywhere.

Highlights

In RenderQuest challenge, we used a webhook to create a custom request that calls the function FetchServerInfo that’s used in the main code file main.go.

In the request, we included the following payload: {{FetchServerInfo “ls -la”}} which retrieves the contents of the current directory. We carried on with other commands to retrieve the challenge flag.

In ProxyAsAService challenge, we manipulated the url parameter and used the @ payload followed by the local address so that the payload looks like: url=@0.0.0.0:1337/debug/environment.

The above payload triggered the function responsible for printing out the environment variables which included the challenge flag.

Video Walkthrough

Video tutorial for HackTheBox RenderQuest & ProxyAsAService is coming soon

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles