# Proxed

### <mark style="color:blue;">Challenge Description</mark>

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FZbzTxoJcZyR87mCrImlO%2Fimage.png?alt=media&#x26;token=e6d688a2-d47b-4deb-96c4-67699d065dc9" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Challenge Attachments</mark>

{% file src="<https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FvGdmdhhLyOlhqPTZLFA6%2Fproxed.tar.gz?alt=media&token=dc85124a-7dc9-48ff-a1eb-7a55db96a089>" %}

X-Forwarded-For: 31.33.33.7

browsing to the website <http://proxed.duc.tf:30019/>

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FegDV5QByCL2heF21zLjB%2Fimage.png?alt=media&#x26;token=61b08569-90a4-4f18-b48c-c6f4670d9d9e" alt=""><figcaption></figcaption></figure></div>

let's send the request to burp repeater

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2F2x0XZ7KVPN5clTI5aRJ7%2Fimage.png?alt=media&#x26;token=2c28f9b7-3550-4f42-b3f1-06301a03f2c6" alt=""><figcaption></figcaption></figure></div>

so the app is whitelisting allowed ip addresses, so we have to find the allowed IP

we have the source code so let's check it out `(it's in the attachment rar file)`

open this file

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FakKBlhR1LVLTk0m6t8F8%2Fimage.png?alt=media&#x26;token=0d704a63-ab50-4bfa-b03e-761451a78874" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FCHMlTJX21VaFwNh2Iwek%2Fimage.png?alt=media&#x26;token=3a3c9d06-204a-4edc-ae99-9ba3c05b3831" alt=""><figcaption></figcaption></figure></div>

now that we have found the allowed ip address we have to find a way to change our ip address and bypass the 403 forbidden

searching in hacktricks for 403 bypass methods we find a couple http headers that are used for identifying the originating ip address

> Note that only `X-Forwarded-For` is the http header that works because in the source code there is a check to allow only this header to identify the originating ip address

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FLqBuqTb3PgSifVkChqfF%2Fimage.png?alt=media&#x26;token=68068f5b-dfcc-4601-a89d-58017d291e54" alt=""><figcaption></figcaption></figure></div>

changing the originating ip address to the allowed ip address 31.33.33.7 bypasses the check and we get the flag

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2Fikju5urHE8vb7KSDypbu%2Fimage.png?alt=media&#x26;token=ca9cebd9-e730-4f29-bb50-57a581c14725" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Flag</mark>

```
DUCTF{17_533m5_w3_f0rg07_70_pr0x}
```