Star Cereal 2
Spoofable client IP address, SQL injection vulnerability
Description
Ha, that was sneaky! But I've patched the login so that people like you can't gain access anymore. Stop hacking us!
http://20.198.209.142:55045
The flag is in the flag format: STC{...}
Author: zeyu2001
Solution
In index.php, notice the following comment
Point 1) is referring to the previous challenge. Point 2) is interesting.
If we go to login.php, we get a 403 Forbidden Page:
Spoofable Client IP
We could deduce that perhaps the server filters requests by the client IP.
If we do a scan (e.g. using Burp Suite Intruder) for the 172.16.2.0/24 subnet with the X-Forwarded-For header, we would find that if we set:
then we would see the login page.
Burp Suite Intruder Scan
First, set the payload position as follows:
Then, configure the payload as a list of numbers from 1 to 255.
Run the attack. Sort the output by either the Status or Length columns. We will find that X-Forwarded-For: 172.16.2.24 gives us a 200 OK response code, and shows us the login page.
SQL Injection
Once we have access to the login page, notice the login form fields.
We need to submit an email and a pass parameter. We can exploit SQL injection to get the flag.
The flag is STC{w0w_you'r3_r3lly_a_l33t_h4x0r_bc1d4611be52117c9a8bb99bf572d6a7}.
Last updated
Was this helpful?
