Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Balsn CTF 2021 - proxy


Never Trust, Always Verify.

Flag is not a local file, you don't need to use any fuzzing tools.

Author: ysc

It's a misconfiguration of Kubernetes with Istio, there are 3 steps you need to do:

  1. Recon: SSRF recon to find local port 15000
  2. Recon: analyze local port 15000 and find a secret service
  3. Bypass: SSRF and bypass istio misconfiguration

Here is istio misconfiguration reference:

Recon: SSRF recon to find local port 15000

Same page as Balsn CTF 2020 TPC, you get:

/query?site=[your website]

Yeah, I really like SSRF.. and Recon ;) You can try some SSRF recon and find that it can read local files by Nice urllib!

Query and extract some listening TCP ports from /proc/net/tcp, you will find port 15000 (0x3A98).

Also, you can get command line by file:///proc/self/cmdline and get source code by file:///opt/workdir/

import urllib.request

from flask import Flask, request

app = Flask(__name__)

def meow():
    return 'meow?'

def query():
    site = request.args.get('site')
    text = urllib.request.urlopen(site, timeout=5).read()
    return text

def hello_world():
    return "/query?site=[your website]"

if __name__ == "__main__":, host="", port=8000)

But it's weird that we can't access and only get RBAC: access denied.

Recon: analyze local port 15000 and find a secret service

Google RBAC: access denied you will find that it's Istio and port 15000 is Envoy Admin Interface, so is blocked by istio authorization policy.

We can try to dump config by Envoy admin interface:

It's a large json file, after analyzing route configs in json, you will find we can access a secret service and port: secret-service-20a91e:39307

Bypass: SSRF and bypass istio misconfiguration

Try to access the secret service by SSRF: and get here is your flag: <a href="/flag">/flag</a>.

But when you access, you will get Internal Server Error, because the istio authorization policies in this challenge deny connections when we access secret-service-20a91e:39307/flag.

So the last step is bypass! Let's read official docs:

Bypass path of istio authorization policy is easy, just // to bypass path normalization!

Now we can get flag:


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment