Use the URL preview feature to make the server request an internal endpoint and retrieve the flag.
// Tools required
Browsercurl
// Step-by-step walkthrough
1
Understand the link preview feature
LinkPeek fetches URLs server-side to generate previews. Because the request originates from the server itself, it can reach internal addresses your browser cannot.
2
Test with localhost
Submit http://localhost in the preview field. If the server returns its own response, SSRF is confirmed.
Command / Input
http://localhost
⚑ You should see the app's own homepage content reflected in the preview.
3
Reach the internal flag endpoint
Try the internal config endpoint on port 8080 — commonly used for internal admin APIs.
Command / Input
http://localhost:$PORT/flag
Output
HackrGG{ssrf_1ntr0_r34ch3d_1nt3rn4l}
// Flag
Flag value
HackrGG{ssrf_1ntr0_r34ch3d_1nt3rn4l}
Returned by the internal /flag endpoint at localhost:8080.
