GrayCon CTF - Red Team Village Web Challenge

# GrayCon CTF - Red Team Village Web Challenge ### Name: c0ntr0l 0x01 ### Category: Web ### Points: 100 ###### tags: `CTF` `GrayCon` `Red Team Village` `web` `SSRF` > At the time of this write up, the challenges has ended and the web interfaces closed, so I will explain some processes rather than providing screenshots. ### Challenge Description We were given an IP address for the challenge at http://104.131.178.50:8888/. Visiting the page returns a login screen. ![](https://i.imgur.com/W1HL9FD.png) ### Solution Since we were not provided with credentials, we decided to try out some SQLi since the webserver is running on PHP, which failed. There is a register link so we proceeded to register a new user and login with that account. ![](https://i.imgur.com/5hHCTc2.png) Now, we can login with our newly created account and get redirected to a dashboard. ![](https://i.imgur.com/bvGmXRp.png) As shown on the dashboard, we do not have admin privileges. We began to check the cookie to see if there is a way check for admin role is set, monitor the requests and inspect the javascript functions but the role does not seem to be set on the front end. Clicking through the functions on the dashboard, most of them are inactive and the only active one was the `Server Configuration`. ![](https://i.imgur.com/V0KVT0e.jpg) We can set the set the IP address and port and update. Almost instantly, Server Side Request Forgery (SSRF) comes to mind. What if we give the server an IP address or URL that belongs to us and see if it will reach out? We went ahead to set up a tunnel using [ngrok](https://ngrok.com/) on port 80 and also set up a python3 server to listen on port 80. ``` ./ngrok http 80 python3 -m http.server ``` We got a URL set up for us by ngrok and we enter the URL to the server configuration and update. After a while, the server reached back to our URL and we viewed the result using ngrok web UI ![](https://i.imgur.com/9maGeaj.jpg) The interesting thing to note is the referrer, the request has a referrer header from http://10.10.10.52/Admin_Users_Management.php. We then visited this endpoint on the webpage, http://104.131.178.50:8888/Admin_Users_Management.php and we got the admin credentials. > admin:exciting_time_in_the_world_right_now Logged out and then logged in as the admin, the Import Shipments and messages button are now active, we then tried to reach the localhost by entering http://127.0.0.1 into the URL field and we got an error. ![](https://i.imgur.com/Vmdv9YK.jpg) After some time, checked the page source and got the flag for the challenge. ### Flag > flag{more_than_just_alerts}