IP Address: 172.25.200.200

Port: 9020

Want to run this Docker container locally?

docker run -d -p 9020:80 --restart always --name flag-q joshbeck2024/ctf-ssrf-hex-bypass-flag-q

This webpage is susceptible to an SSRF attack. In many real-world cases, web servers need to access resources on internal IP addresses or localhost (127.0.0.1) that should not be accessible publicly.

A common example would be a MySQL database. The web server should be able to make database queries, but you don’t want random people on the internet attempting to log directly into the database that contains website data using the public IP Address.

In this case, the machine has two web servers on it:

• One web server is listening on 172.25.200.200:9020
• One web server with the flag is listening on 127.0.0.1:8001

This webpage tells us that if we put in an HTTP address, the content of that webpage will be returned.

Let’s test the functionality first. On Kali:

The idea here is we need to bypass SSRF protections to access the webpage localhost (127.0.0.1:8001) interface. Let’s just try http://127.0.0.1:8001 in the form field to see what happens.

You can see that the web server on HTTP://localhost:8001 is protected.

Fun fact: IP Addresses can be entered in Hexadecimal and they will work. For example, on any machine, you can ping your own localhost address using hexadecimal like this:

ping 0x7F000001

This is the bypass that will work here.