In this write-up, we will solve the ProxyAsAService challenge from HackTheBox. The goal is to analyze the web application, identify its weaknesses, and use them to gain command execution in order to retrieve the flag. Along the way, we will break down each step of the exploitation process to clearly demonstrate how the vulnerability can be discovered and leveraged.

Let’s navigate to the website.

The website automatically redirect us to reedit

Now let’s take a look at the source code.

Notice that we found that the url is passed as a parameter to a function name proxy_req

Now let’s read the source code of the proxy_req function

notice that we found that the url parameter is used to call the requests.request function which make it vulnerable to SSRF

Now let’s see the IP restrictions

Notice that there was a blacklist that block some IP Address from being called

Now what is the Idea of the challenge?

The idea is to make a request to the localhost to the and make a request to the endpoint /debug/environment that will print the environment variables on the machine

Now why we need to call the environment endpoint?

We need to call the environment variables as the flag is stored in it