CTF Challenge Description:

The challenge contains a php webproxy and a Tomcat server which has the Tomcat manager app deployed andwas only accessible via the php webproxy.

https://github.com/Athlon1600/php-proxy-app is what is running in the php-proxycontainer and it has a few open issues, including some that look like they could be security-relevant.


To visit the tomcat container from the proxy, simply enter to view the tomcat webpage. Tomcat mentions an admin interface should be at /manager/html but upon visiting through the proxy we get a “401 unauthorized” error.

We also find the username and password (manager-web.xml) and that /manager/text exists as an interface for scripts.

We can use /manager/text/deploy to deploy the folder that contains the flag and visit that like any other webpage.

Cyber Security Study Notes

OSCP Study Notes

Then we can host this on our local attacker machine. The server address can be:

Header('location: http://admin:admin@');
  1. Redirect the proxy to
  2. Then redirect it to
  3. Flag: INS{SSRF-As-A-Service}

CTF Walkthrough Playlist

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles