July 10, 2026
“screenshot” | CyberTalents | Bypass SSRF filters using PHP wrappers| Web Exploitation : Hard
Exploiting SSRF vulnerability, bypassing hostname filters, and leaking source code using PHP wrappers to capture the flag.

By Dr_ro0t
2 min read
Challenge description
Developer is generating screenshots using internal api servers , flag is the front server hostname (not the api hostname) , can you extract it ??"
screenshot - Web Security challenge - Developer is generating screenshots using internal api servers , flag is the front server hostname (not the api…
Writeup Agenda
- Before We Go
- Attack Scenario
- Lab Solution
Before We Go
SSRF Exploitation Types:
1) Need to reach hidden host?
→ URL parser bypass
→ @, #, encoding
Example:
trusted.com@localhost
2) Can reach host but need source code?
→ Abuse the protocol handler / wrapper
Example:
php://filter/convert.base64-encode/resource=SSRF Exploitation Types:
1) Need to reach hidden host?
→ URL parser bypass
→ @, #, encoding
Example:
trusted.com@localhost
2) Can reach host but need source code?
→ Abuse the protocol handler / wrapper
Example:
php://filter/convert.base64-encode/resource=Attack Scenario
- We will check the internal request and change it to http://127.1 , after that we will find that the server is white list based input filter.
- We will not use @ and #, since we already access the internal servers, but what we want is to access the internal files.
- So we will use PHP Wrappers and we will search about the index page.
- We will use gobuster and we will find it index.php.
- With PHP Wrappers, we will use Path Traversal because now we will access the internal sources of the server.
- Finally instead of http://internalapi1.local we will write php://filter/convert.base64-encode/resource=internalapi1.local/../index.php
- We will access the image path , then we will find it can't be displayed in the browser
- So we will download it using wget
./start.sh
┌──(Dr_ro0t㉿kali)-[~/CyberTalents/Writeups]
└─$ ./start.sh
██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ████████╗
██╔══██╗ ██╔══██╗ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝
██║ ██║ ██████╔╝ ██████╔╝██║ ██║██║ ██║ ██║
██║ ██║ ██╔══██╗ ██╔══██╗██║ ██║██║ ██║ ██║
██████╔╝ ██║ ██║███████╗██║ ██║╚██████╔╝╚██████╔╝ ██║
╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
>> Dr_ro0t <<
root@writeup:~# SSRF Exploitation Started...┌──(Dr_ro0t㉿kali)-[~/CyberTalents/Writeups]
└─$ ./start.sh
██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ████████╗
██╔══██╗ ██╔══██╗ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝
██║ ██║ ██████╔╝ ██████╔╝██║ ██║██║ ██║ ██║
██║ ██║ ██╔══██╗ ██╔══██╗██║ ██║██║ ██║ ██║
██████╔╝ ██║ ██║███████╗██║ ██║╚██████╔╝╚██████╔╝ ██║
╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
>> Dr_ro0t <<
root@writeup:~# SSRF Exploitation Started...Lab Solution
So, we will use PHP wrappers
But before use it, we will use gobuster to find the index page
We will use PHP Wrappers now with path traversal, so we change the path from http://internalapi1.local to php://filter/convert.base64-encode/resource=internalapi1.local/../index.php
We will decode it using CyberChef
./finish.sh
┌──(dr_ro0t㉿kali)-[~/CyberTalents/Writeups]
└─$ ./finish.sh
██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ████████╗
██╔══██╗ ██╔══██╗ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝
██║ ██║ ██████╔╝ ██████╔╝██║ ██║██║ ██║ ██║
██║ ██║ ██╔══██╗ ██╔══██╗██║ ██║██║ ██║ ██║
██████╔╝ ██║ ██║███████╗██║ ██║╚██████╔╝╚██████╔╝ ██║
╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
>> dr_ro0t <<
root@writeup:~# Writeup Completed Successfully...
[+] Vulnerability Explained
[+] Exploitation Completed
[+] Flag Captured
[+] Mission Finished
Thanks for reading :)
-- dr_ro0t┌──(dr_ro0t㉿kali)-[~/CyberTalents/Writeups]
└─$ ./finish.sh
██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ████████╗
██╔══██╗ ██╔══██╗ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝
██║ ██║ ██████╔╝ ██████╔╝██║ ██║██║ ██║ ██║
██║ ██║ ██╔══██╗ ██╔══██╗██║ ██║██║ ██║ ██║
██████╔╝ ██║ ██║███████╗██║ ██║╚██████╔╝╚██████╔╝ ██║
╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
>> dr_ro0t <<
root@writeup:~# Writeup Completed Successfully...
[+] Vulnerability Explained
[+] Exploitation Completed
[+] Flag Captured
[+] Mission Finished
Thanks for reading :)
-- dr_ro0tI hope you like the solution :)
hack
eat
sleep
again :)