intigriti-1025 challenge writeup

There is my i guess unintended solution for intigriti challenge 1025.

Whili visiting the main page we can see the following:

So the function is to paste your url and the website will parse it, first thing what i did is to send request to my webhook

Responce of webhook is reflecting on the page, i tried to paste some xss payloads

But nothing happend, then i decided to check is there an opportunity to do ssrf on internal host

Filter for localhost, after some attempts i bypassed it via http://localtest.me

As it worked i tried to find some dirs, like admin.php or config.php but nothing came of it, i went forward and i thought about is there a chance to do request via file:/// and read /etc/passwd

At this point, returning to the vector with localtest.me, I got stuck and after a few attempts to do some tricks with cURL:

http://example.com,file:///etc/passwd

I noticed that the condition is that http must INCLUDE, BUT NOT START WITH IT, and i straightaway tried to bypass it via null byte

After that i decided to bypass it via step back in terminal

So then i looked for a flag.txt file and thought about that i should take rce for this chall and continued to browse and look at files

After 20 minutes a realized that we have a full view of all files inside machine

And we even don't have to take rce because we see all files with just look at directory

And i returned to the root directory