Tags: web ssrf 

Rating:

We SSRF via Webhooks and URL template string injection using two `git-receive-pack` payloads. The first payload triggers a webhook, which uses string template injection to allow us to make SSRF requests from 127.0.0.1, giving us admin. The payload of the request is another `git-receive-pack` payload that commits our own user account to the target private repository's `access.conf`.

Original writeup (https://larry.science/post/picoctf-2021/#bithug).