Share this post:Daniel Lowrie This episode of CTF Walkthrough features a straightforward boot-2-root challenge. This is a story as old as time.
Boy meets girl (Bob & Alice).
They fall in love.
A girl is offered a job in a suspiciously corrupt corporation.
Shady-corp brainwashes girl.
Boy hires a hacker for access to shady-corps to find out what’s going on with his lady!
It’s something I’ve seen a thousand times.
Let’s now see if Bob can save Alice from this evil scourge. Enjoy the music.
If you would like to join me on this journey, the CTF is available here.
RECON
To check which services are running, we start with an Nmap scan. To see what’s listening, I do an aggressive scan of all ports first. Then I scan only the open ports. We found ports 22 & 80 so I scan only those two.
We have just begun, so there isn’t much output. It’s time to dig deeper, continue scanning, and enumeration.
Let’s get Nikto out of retirement and see what it can tell us about the target.
OK, great! There are some interesting entries. I quickly add a note to my working documentation to make sure we don’t forget them, and then I move on with directory fuzzing using GoBuster.
GoBuster doesn’t reveal anything that we don’t already know. I think it’s time to visit the website of these evil monsters!
It’s so easy, isn’t it? Okay, it’s personal. We were hackers-for-hire before, but you poked the wrong bear! Let’s look behind the curtain, and see the page source-code.
A HINT! It’s a good tip, too, considering that I don’t know much about X-ForwardedFor beyond the fact that it’s an HTTP header. These people might not be so bad after all. Perhaps we have been too harsh with them and they are misunderstood. Maybe they’re the DEVIL! Let’s move on.
I decided to follow the advice of the hint and google-searched X-Forwarded – For. This site gave me a good explanation of the header’s purpose.
It looks like it’s being used to connect a client via a proxy. It takes the client IP address, stuffs it into the header, and then it adds a proxy server address. This allows the site receive traffic through a proxy while still identifying the client-IP.
According to this website by Sjoerd Langkemper, “Some web applications allow you to restrict access based upon the IP address of the visitor.” This is especially common for administrator interfaces. It is a good idea for administrators to limit access to this interface to IP addresses that are used by actual administrators. The web application will verify the REMOTE_ADDR value passed through by the webserver to the application in order to implement this.
Then it goes on to say…
“The XForwarded-For header is typically set by a proxy. However, it can also be added to by an attacker. An attacker can spoof an IP address by adding his own XForwarded-For header. An attacker can bypass the IP block by adding an allowed IP address to the header.
This seems to be the exact information we are looking for! Remember that the hint indicated that this site could only been accessed locally. It’s time to review our request history.
I forgot to mention that I almost ALWAYS proxy all my web traffic through Burp Suite. This allows me to easily see the requests and responses from sites I interact with, and then quickly adjust my requests to see what happens. It also keeps a history, which allows you to see the logical sequence of events and go back without needing to revisit a page.
Return to the story.
Here is the request/response to the site without the X -Forwarded-For header.
After adding the XForwarded-For header.
John “Hannibal” Smith immortalized it as “I love when a plan comes together.”
ATTACK
This is what we did. It tricked the system by adding localhost to the X-Forwarded For header. This made it believe that the originating IP was from the trusted/white-listed local machine.
It was then redirected (see the 302 response) to “page=index”.
Cool! We are making progress. We’ll see what this brings.
Turn on the Burp Intercept
Browse to target IP using your web browser
To intercept a request, add “X-Forwarded: localhost” and push “Forward”.
To intercept redirect to “?page=index”, add “X-Forwarded–For: localhost”
We are now able to access “Ceban Corp”‘s hidden web portal.
A minor celebration dance break is standard. I’ll wait.
We are glad to have you back.
Although we have made great progress, I am frustrated that we need to constantly intercept everything with Burp so we can add the right things.