Proxxed (DUCTF 2023)

Description: Cool haxxorz only

Challenge author: Jordan Bertasso

Category: Web (Beginner)

Source code: https://github.com/DownUnderCTF/Challenges_2023_Public/tree/main/web/grades-grades-grades

Basic Recon

When we initially load up the website we see

It seems we can only reach it if we maybe had “trusted ip”.

Source Code Review

Looking at the source code, it seems to only accept the IP address of 31.33.33.7. It also seems that the http “X-Forwarded-For” is supported.

A quick google on the “X-Forwarded-For” header shows that its a http header used to identify originating IP addresses.

Source: https://en.wikipedia.org/wiki/X-Forwarded-For

Exploit

Now looking at the http request to reach the website we see a basic GET request.

We try adding the “X-Forwarded-For” header in here along with the IP 31.33.33.37.

And we get the flag!