actually-proxed

Challenge Description

Challenge Attachment

2KB

actually-proxed.tar.gz

let's send the request to burp repeater

let's view the source code

the secret server code is the same as the code in the previous challenge proxed

which untrusts all IP values except 31.33.33.7

let's try to modify the originating IP to 31.33.33.7 using X-Forwarded-For Header

but it didn't work

and this is because of the reverse proxy implemented which overwrites the value of the X-Forwarded-For header to the value of the clientIp

the code between the red rectangle its purpose is to modify the X-Forwarded-For header in the HTTP request to include the client's IP address.

Here's what it does:

1. It loops through the headers slice, which contains pairs of HTTP header names and values.

2. For each header, it checks if the header name, when converted to lowercase with strings.ToLower(v[0]), matches the string "x-forwarded-for" in a case-insensitive manner.

3. If it finds a match, it modifies the header value by appending the client's IP address to it. It uses fmt.Sprintf to format the new header value as a comma-separated list of IP addresses, with the client's IP followed by any existing values.

4. The loop terminates as soon as it finds and modifies the X-Forwarded-For header.

since The loop terminates as soon as it finds and modifies the X-Forwarded-For header if we add X-Forwarded-For header multiple times, only the first occurrence will be processed, and subsequent occurrences will not be checked or modified by the proxy server.

this way we can make the originating IP value 31.33.33.7 and as a result we will not be blocked and we will eventually get the flag

Flag

DUCTF{y0ur_c0d3_15_n07_b3773r_7h4n_7h3_574nd4rd_l1b}