A hands-on lab for practicing the vulnerability chain described in SSRF: Breaking through hidden application context.
Demonstrates:
- Secondary-context path traversal
- DNS rebinding
- SSRF
Note
To solve this lab, you'll need a domain that resolves to 127.0.0.1.
You can use 127.0.0.1.nip.io - it automatically resolves to 127.0.0.1.
ThreadHub is a SaaS platform for private team conversations. Each company (tenant) gets its own subdomain and can configure a custom enterprise domain for branding.
The platform offers:
- Private threads between team members
- Attachment system with ability to reference existing files
- Custom domain configuration for enterprise customers
As a security researcher, your task is to test the application's security mechanisms.
Obtain the flag in format mgsy.dev{FLAG} from the endpoint:
http://127.0.0.1:8080/internal/config
Add entries to your hosts file:
Linux/macOS: /etc/hosts
Windows: C:\Windows\System32\drivers\etc\hosts
127.0.0.1 threadhub.lab
127.0.0.1 acme.threadhub.lab
docker compose up --buildApplication: http://acme.threadhub.lab
Did you enjoy the lab? Stuck on something? Have ideas for improvements or just want to share your experience? I'd love to hear from you - drop me a line at kacper@mgsy.dev