# Triskel 1: First Contact ## Problem Coronavirus affected our airport so much that our dev team developed an app to keep track of it! I mean they didn't have much time to make it, but what could go wrong? by Remsio ## Solution Pivoting from the previously found IP address, we scan this IP address to find that there is a HTTP service running on it. ![](/files/-MaRLbmTQfQpoCJTtEEN) This seems to be the app that the challenge is talking about. ![](/files/-MaRLfge5NgG68-RKbJ2) While fuzzing the input, I found that it uses curl. ![](/files/-MaRLhxvhXm6WZIu3gb9) Additionally, it appears that the IP address in the URL is checked against a whitelist of allowed IP ranges. These were 10.0.0.0/24, 10.0.42.0/24, and 10.0.43/24. We can run a Burp intruder scan to find out what other hosts we can connect to through `10.35.2.134/call_api.php`. Indeed, on scanning the `10.0.42.0/24` network, we find `10.0.42.2` and `10.0.42.200` is a valid endpoint. ![](/files/-MaRMgV-Us1qGH3jdAol) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ctf.zeyu2001.com/2021/norzhctf-2021/triskel-1-first-contact.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.