README - Web

Task

Read me if you can!! NB: There is no need to do bruteforce. Target: http://66.228.53.87:8989/

Solution

We get the following IP address with port:

http://66.228.53.87:8989/

The following page is located at the address we received:

Let's first try to read the text.txt file by entering its name in the text box and clicking the Read button:

The website returned a message that reading the file was possible. So let's try to do the same for the flag.txt file:

We receive a 403 Access Denied message. Let's move to the repeater in Burp. The GET query for the flag.txt file is as follows:

The response 403 Access Denied was returned in the JSON format. The returned response in JSON format may indicate that we should use one of the techniques used to bypass 403 and 401 responses. Some techniques to bypass 403 and 401 responses can be found on HackTicks:

403 & 401 BypassesHackTricks

One such technique is HTTP Headers Fuzzing. We will try to add to our GET request the following headers:

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
Host: localhost

After adding the X-Forwarded-For: 127.0.0.1 header and sending the GET query, the following flag is returned:

Flag:

KCTF{kud05w3lld0n3!}