Domain Redirection Bypass Explained | HackTheBox RenderQuest & ProxyAsAService

We covered practical examples of bypassing domain redirection restrictions. In the first example we used a Webhook to render requests that call a function used to execute system commands. The second example, we used bypass techniques to redirect the webpage into different paths that reveal sensitive files. This was part of HackTheBox RenderQuest & ProxyAsAService web challenges.

Offensive Security Certified Professional Study Notes and Guide

The Complete Penetration Testing with Backbox Linux Course

CHALLENGE DESCRIPTION

RenderQuest

You’ve found a website that lets you input remote templates for rendering. Your task is to exploit this system’s vulnerabilities to access and retrieve a hidden flag. Good luck!

ProxyAsAService

Experience the freedom of the web with ProxyAsAService. Because online privacy and access should be for everyone, everywhere.

Video Highlights

In RenderQuest challenge, we used a webhook to create a custom request that calls the function FetchServerInfo that’s used in the main code file main.go.

In the request, we included the following payload: {{FetchServerInfo “ls -la”}} which retrieves the contents of the current directory. We carried on with other commands to retrieve the challenge flag.

In ProxyAsAService challenge, we manipulated the url parameter and used the @ payload followed by the local address so that the payload looks like: url=@0.0.0.0:1337/debug/environment.

The above payload triggered the function responsible for printing out the environment variables which included the challenge flag.

Video Walkthrough