R4t3 L1m1t Challenge Writeup — CTF
Hello, a little intro to me i am Vansh Devgan (known as th3pr0xyb0y) a security researcher , fullstack web developer , ctf player & bug-bounty course instructor. so this ctf challenge is very realistic as i was working on one VAPT project few days ago under my own firm(CyberXplore) and i found very interesting ratelimit bypass which led to site-wide ratelimit bypass so i decided to ask the developers what problem caused bypassing there ratelimit in a very weird way (not so much wierd i found the same bypass in some medium post few months back ) so as soon i got the problem i made up my challenge using nodejs (‘javascript is love’) . it’s enough about me & challenge . (still want to know more? jump to https://vanshdevgan.com)
Challenge Name — R4t3 L1m1t
Category — Web
Organizer — NoobArmy
EVENT — VULNCON CTF
Author — th3pr0xyb0y
Description — ‘Our Dev team is working on a super secure website. They protected the website with OTP verification but we don’t believe there methodology is secure enough . I want to access the admin Dashboard but i don’t know that secure OTP. I know Bug Hunter guys are awesome and probably they could help me’
Link — https://ratelimit.noobarmy.org
Solution — So if you look at challenge description it is very clear we need somekind of OTP to access admin dashboard maybe there we will find something to proceed further and it is exactly as it is in description we need to find valid OTP but on a website where Dev team is too smart to implement ratelimit let’s visit the link and have a look .
If we take a look at screenshot given above it seems really clear we are asked to Enter OTP & It’s Admin Dashboard (“given in title of webpage which apparently is not visible in above screenshot”) so what are we waiting for let’s fire our burspsuite → use intruder → and boom the flag ! (apparently that’s not simple as it seems ) .
Umm that’s interesting the author was smart enough to make different parameters for each number let’s making brute-force a little bit tricky for newbies but as i am peru hacker i know how to do it so let’s send this request to intruder → i will apply cluster bomb as i need 4 payloads → i will get the flag . apparently this won’t work as well let’s first check what response we are getting (see below)
umm if we look clearly at response we are getting {“msg”:”Your Flag Is L0L”} and some very bad headers —
X-Powered-By: Express → It shows we are using nodejs as backend
X-RateLimit-Limit: 10 → it shows we have only 10 valid request before we get ratelimited
X-RateLimit-Remaining: 9 → it shows only 9 more requests are remaining before we make you cry
Date: Sun, 20 Dec 2020 07:25:36 GMT → Normal Date
X-RateLimit-Reset: 1608449300 → Time in Epoch Format When It Will Reset & Again Give You 10 More Requests(“it’s 3 minutes after you got ratelimited ”)
So we can’t even brute-force so here we need to see how come we bypass ratelimit so by googling and reading some awesome write-ups most of you might have found headers listed below
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwared-Host: 127.0.0.1
#or use double X-Forwared-For header
X-Forwarded-For:
X-Forwarded-For: 127.0.0.1
Let’s try anyone of them and see what we are getting
so let me make it clear here try any X-Header You Will Get Same Response L0l What The Hack :( now think a little bit more . I have one question if you are developer will you ever send password/otp or sensitive information in GET request? here it is let’s try with POST (as it is secure and developers are smart too) read Description again which is given belown
‘Our Dev team is working on a super secure website. They protected the website with OTP verification but we don’t believe there methodology is secure enough . I want to access the admin Dashboard but i don’t know that secure OTP. I know Bug Hunter guys are awesome and probably they could help me’
Umm that’s bad how-come i missed a hint whatever let’s see the request now
So we got this {“msg”:”Why Are You Trying To Bypass Me :( Using X-Forwarded-For I Am Protected <br> Invalid OTP”} (ohh god developers are smart enough to secure it using headers as well) so what else is possible ?
1- IP Rotation On This Post Request With Or Without X-Forwarded-For ?
2- Bypassing Rate Limit On This Post Request ?
So Method 1 is not an traditional way of doing bypass (as we forgot to protect it from ip based ratelimiting which we did protect in our second challenge) and this bypass was not the legit way and Wait! sometime you aren’t getting flag even after ratelimit bypass it’s not that easy
So Method 2 is the traditional way but what’s the bypass so let me tell you guys if you tried dirtcory bruteforcing you might get some random texts bank in response but unfortunately your directory bruteforce didn’t involved bruteforcing the same endpoint in case sensitive way let’s see what i meant
ShoutOut To My Tool — Do Checkout SubBuster https://subbuster.cyberxplore.com [Not Related to This CTF Just A ShoutOut]
let’s do directory bruteforce and see what we are getting
Umm again it also has ratelimit of 100 requests and random responses so it’s a trap let’s see directory bruteforce on POST Request
wtf Man! this challenge is not solvable (author- it is solvable buddy) so look one thing very carefully you tried everything but didn’t played with given endpoint let’s see given gif below
Finally ! I found ratelimit bypass on POST Request by using anyone character as uppercase in endpoint (do note in case of get request it still shows random text and rate limit). so it means any endpoint case (uppercase+lowercase or uppercase except only lowercase[‘/endpoint’] ) will bypass ratelimit wtf man! i had never seen it (yes it happens developers when using case sensitive endpoints they forget to implement ratelimit on each case you will find article reference at end of this post .
Wait challenge is not over yet ! so now am gonna bruteforce it using intruder → doing clusterbomb → let’s see it well
Hey Buddy i was able to bypass ratelimit bruteforced all combinations but i got no flag i think you challenge is broken(“author : lol try harder”) so here is final key to the answer i made the content length of valid and invalid otp same to create a deception to an attacker that he might never know that flag was in front of his eyes and he still can’t see it.
Wait ! if content-length is for invalid and valid OTP how do we solve it ?
Solution — A simple one will be save burp responses in a file and grep for “vulncon{“ and the traditional way would be that you need to create a python script which checks response value if it is same as Invalid Response then skip otherwise print it this logic will get you flag.
Check exploit.py file given below note wordlist.txt contains all possible combinations of 4 digit number
You can generate wordlist it using
for i in {1000..9999}; do echo $i; done | tee wordlist.txt
Flag : vulncon{r4t3_l1m1t_byp4$$_1$_$0_c0000l}
Any Other Way To Solve This Challenge ?
Yes even on post request at ‘/enterotp’ endpoint you can get the flag with IP Rotation technique which is not traditional way but there also content length plays a good role so player needs to use proxies to fetch responses and grep them or create a python exploit using proxies . but it is an untraditional way .
Reference : https://dzone.com/articles/expressjs-preventing-common-vulnerabilities-in-the [Explaining Case Sensitive Nature]
That’s all from my side ! thanks for taking out time and giving it a read some claps would be really appreciated .
Follow me on social media :
Twitter @th3pr0xyb0y
Facebook @vanshdevgan0221
Instagram @vanshdevgan
More about me on https://vanshdevgan.com
Have a Great Day :)