Hold your marks
Description
Experienced in the world of bug bounties, you stumble upon a markdown editor during your exploits. Your objective: infiltrate the server’s defenses to access a concealed file, hidden away from external access. Can you leverage your skills to navigate through the editor’s intricacies and uncover the secrets that lie within the server’s depths?
Solution
Title: Unraveling Secrets: A Bug Bounty Journey Through a Markdown Editor
Description:
Venturing through the dynamic landscape of bug bounties, I stumbled upon a markdown editor, concealing tantalizing secrets within its digital confines. My mission: to breach the server’s defenses, uncovering a hidden file inaccessible through conventional means. Armed with experience and expertise, I embarked on a journey to decode the editor’s intricacies and unearth the concealed treasures lurking within.
Solution:
Upon entering the editor, I was greeted with two avenues for user input: a URL input for fetching markdown and a markdown editor interface. Instantly, my bug bounty instincts kicked in, recognizing the potential for Server-Side Request Forgery (SSRF) through the URL input.
To validate my suspicions, I employed interactsh, a reliable tool for confirming SSRF vulnerabilities. However, my progress hit a snag as all interactions with localhost were systematically blocked by the server’s defenses.
Undeterred, I devised a cunning bypass strategy: leveraging a URL redirect to access the elusive file located at “http://localhost/flag." Inspired by a YouTube video showcasing the utilization of the “/flag” endpoint, I crafted a Python Flask application hosted on my VPS to execute this redirect seamlessly.
from flask import Flask, redirect, request
app = Flask(__name__)
@app.route('/')
def redirect_to_user_url():
user_url = request.args.get('url')
if user_url:
return redirect(user_url, code=302)
else:
return "Please provide a URL parameter.", 400
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
With my Flask application primed and deployed, I executed the final exploit, crafting a URL that triggered the redirect to “http://localhost/flag" via the server’s IP address or use Nogrk. The moment of truth arrived as the hidden flag was finally revealed.
Flag
flag{Uo9Cn5g9eodJrH2w7wR0Gw==}