[SSRF] Unfurl - SNYK FTF 2025

Foreword - About the Competition

I recently got to jump into the Snyk Fetch The Flag CTF 2025, and let me tell you—it was incredible! Snyk, a company I’ve always looked up to for its passion for keeping the digital world safe, put together this amazing event with over 30 challenges that really tested my cybersecurity skills.

We’re talking web exploits, binary puzzles, cryptographic brain-teasers—the full sandbox! It was a blast to play in, and it seriously leveled up my tech game. Plus, as someone eyeing a role at Snyk, I was blown away by how this CTF showcased their commitment to fostering a tight-knit security community. I can’t wait to unpack one of my favorite challenges, “Unfurl”!

Lately, I’ve been grinding nonstop to sharpen my cybersecurity skills through courses and hands-on challenges like this. Truth be told, this was my first live CTF that I tackled seriously, and it was an absolute thrill—both for me and a good friend who joined the fun. Huge props to Snyk’s amazing team for building this platform; they’ve been at it for years, giving folks like me real-world experience that’s honestly priceless.

Intro to the challenge

Since I have been recently exploring a lot of web application pentesting and vulnerabilities in my journey, one I found really fun and accessible to beginner to intermediate public would be Unfurl in this competition. A few great things I noticed about how it was crafted, and in all honesty the whole CTF was crafted with the same mastery around all the other challenges, were that:

1. It drops just enough hints for newbies to get started, yet still packs a punch to keep you puzzled.

2. Like any top-tier CTF box, it offers multiple paths to crack it—super creative!

3. Using the Snyk CLI and a developer-first mindset gave me a fresh angle on the vulnerability.

4. Snyk Learn was a goldmine for brushing up skills before, during, and after—especially for digging into SSRF.

5. I leaned on a few tools from my kit, but the beauty of “Unfurl” is its flexibility—you can solve it in tons of different ways!

Challenge Description

Short Disclaimer: I wrote this after solving “Unfurl” during the CTF. Want to try it? I’ll share the Docker setup below! (Snyk, sorry if I’m spilling too much—hope it’s cool!) Since this is based on a local server post-competition, the flag won’t match the official format. Expect something like flag{not_really_a_flag}—just a placeholder now that we’re off the live servers. Now since we took the short disclaimer right out of the way let’s dig into the challenge itself!

Unfurl - Description

We've been working on a little side project - it's a URL unfurler! Punch in any site you'd like and you'll get the metadata, main image, the works. We're publishing it open source soon, so we figured we'd let you take a shot at testing its security first!

The challenge source code is available in the challenge.zip folder. The password is snyk-ftf-2025.

Use the Dockerfile to run a local instance of the challenge! To build and the container, unzip the contents of the challenge.zip file and run:

docker build -t [challenge_name] . && docker run -it -p 5000:5000 [challenge_name]

Challenge Archive Link: [insert_link_here]

Useful resources to dig deeper into the challenge:

1. Snyk Learn: https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/?ecosystem=javascript

2. Portswigger: https://portswigger.net/web-security/ssrf

The Process

To get down to the process really quick I decided on the following order of steps which proved really useful and based on the recon insights I gathered it didn’t took long to figure out where is the weak point of the challenge and how to quickly address it:

1. Run snyk test from snyk-cli to see if using snyk software we can identify something vulnerable.

2. Then reading through the source code you can identify the really interesting part (although pointed out in the comments of the vulnerable code).

3. 
4. After checking those you can realize that you have to scour through ports 1024-5000 to figure out where the Admin Panel runs.

5. Running then an nmap scan on ports 1-5000 will get you the random port the Admin Panel is running on.

6. Once found where the Admin Panel is running we are able to go ahead and run our beautiful SSRF exploit.

7. I combined then the SSRF exploit with OS Command Injection to check what files we can get access to and of course read them.

I hope you enjoyed going through this write-up as much as we enjoyed solving the Snyk Fetch The Flag 2025!

Stay tuned and check all the other write-ups as I will post one for each of them, it might take a while however, as I do have a full time job and I am working through to develop my cybersecurity skills learning something new every day!