summary

HackTheBox Website CTF shooting range Web Related topics baby CachedView, Title address https://app.hackthebox.com/challenges/baby-cachedview, The main investigation is IP Bypass ideas of address restrictions .

subject

Title Overview

The title provides attachment download , After decompression, as shown in the figure

The main idea of the title prompt is that after experiencing a security accident, the service of the website is based on IP Address restrictions .

After opening the program instance , Prompt to visit 138.68.142.134:31643, visit http://138.68.142.134:31643, See the following Web Interface

see requirements.txt, Found as Flask application

Flask
selenium

Source code

routes.py

from flask import Blueprint, request, render_template, abort, send_file
from application.util import cache_web, is_from_localhost

web = Blueprint('web', __name__)
api = Blueprint('api', __name__)

@web.route('/')
def index():
    return render_template('index.html')

@api.route('/cache', methods=['POST'])
def cache():
    if not request.is_json or 'url' not in request.json:
        return abort(400)

    return cache_web(request.json['url'])

@web.route('/flag')
@is_from_localhost
def flag():
    return send_file('flag.png')

You can see in the route /flag route , This route has two decorators , Which USES util.py

util.py

Source code analysis

The source code submitted on the front page of the target , from /cache Respond to , after cache_web Function returns the result after processing , stay cache_web In function IP Address restrictions , It's mainly about 127 Network segment 、172.16 Network segment 、192.168 Such as the restriction of Intranet segment .

And if you visit /flag route , Will be in the decorator check_ip Handle , If it's not a local address （127.0.0.1） Will be banned .

Practical verification , First, enter... In the input box http://138.68.142.134:31643/flag, Triggered check_ip The inspection of

If you enter... In the input box http://127.0.0.1:31643/flag, Triggered cache_web The inspection of , Tips IP not allowed

Their thinking

Deploy on the cloud server Web service , The input address in the input box is the ECS address , adopt cache_web The inspection of , And on the server Web Content for local access flag

Question answer

Deploy on the cloud server index.html, The content is

<meta http-equiv="refresh" content="0; URL=http://127.0.0.1:31643/flag" />

Enter the ECS address in the input box

obtain flag