Rating: 4.5

# Brokerboard
![](./brief.png)

The important part of the brief is the mentioning of the https://localhost/key endpoint. This is where the flag will most likely be returned from.

The challenge provided a web interface that fetches links.

![](./images/website.png)

As you can see from the image the url http://www.google.com has been parsed successfully. However, any attempts with localhost as the main host causes this error to be returned:


Ruh roh, we don't allow you to fetch internal URLs!


The second most important part of the brief is the hint towards the use of parse_url in the system. This will be our vulnerable entry point.

The bug used was ![#73192](https://bugs.php.net/bug.php?id=73192) of the PHP bug page. This states that the host in incorrectly parsed when the use of # after the port number of the original domain.


http://example.com:80#@localhost/key


NOTE: even though the website states that ? and // can work in place of the #. These were unable to work in this context.

By placing the playload into the link fetcher it circumvents the initial check for localhost while parse_url takes localhost/key as the main url.

The flag is provided like so:

![](./images/website_flag.png)


FLAG: flag{y0u_cANn0t_TRU5t_php}