Web - Server

Hi all,

I wanted to ask you help, I try to solve this for a couple hours now can you please help me ?

I think that I have to connect to the internal network but I don’t know how.

Same question Did you find solution

Read very well the instructions and also the related resource of the challenge

I have the same problem, is the answer is close to DNS?

Yes read Page 6 last paragraph

Connecting to the challenge using their internal IP doesn’t work. Using a proxy to change your requests to act like your using the private DNS doesn’t work. Not sure what else to do, too bad none of the people who have done it are much help besides "read the description". Hopefully this level of ’help’ isn’t the norm on this site....

if anyone is stil finding answer then i can help you i was struggling almost for 2-3 day but now i solved it
here are some hints:-
1. Search on google how to bypass ip (medium’s blog)
2. use proxy like burp suite
Final and main
3. Check all request is forwarded toward server so change which will make request unsecure
Hope you can solve it now

hi
can u explain more what u did plz im stuck also, i thought i was supposed to find the login information somewhere in the src but i was wrong and i dont understand what u said u did.

i just looked at the blog and solved it, thanks.

Here is the problem I think exists with this challenge. The actual vulnerability is the concept of the intermediary proxy server and the web server’s reliance on X-Forwarded-For header. Once you know this much you can easily think how to at least make it theoretically work. All you need is a machine with a static IP which is under your control at your disposal where you can have run a dummy proxy server to receive the messages.
While doing these challenges the assumption is that they are intended to help people learn. But the RFC document has no mention of any particular approach on implementation. It simply explains what it is. An experienced professional might already know this but there is no point for them to attend these challenges except to feel good or refresh. This makes such challenges totally useless for learners like me. Yes, you might argue that this is what is expected in real world circumstances but we too know that. The whole point of using a site like this is to learn and resources are expected to contain material which have some relation to what can be exploited.

And I have one question. In the blog it mentions that X-Forwarded-For also lists proxy IP addresses through whom the response will be forwarded through until it reaches the intranet client. If so can’t this vulnerability be fixed if the web server also has a whitelist of proxy server IPs? After all these proxy servers too are owned by the organization. With that in place, can this setup be exploited in any way or is it as secure as password based authentication?

I have a question, I’ve done all that you said but I’ve some troubles with the method 2 on Medium’s blog (it doesn’t work on my burp suite). So do can I solve this challenge with the first method and what IP I need to use because the localhost IP doesn’t work.

new guy here, i submitted my username and password and it says i cant log in for some reason. not sure what they mean by local IP. do they mean, and ip located at their business? Not sure exactly what to do