A writeup for the web challenge Traveler from AtHack CTF Quals 2021.
Published on November 21, 2021 by 0xRar
1 min READ
Travelerfrom AtHack CTF Quals 2021
Ready for a quick external assessment?
When we go to the link we get:
From first sight we knew it was a bypass challenge, because also the admins confirmed it they said “do not waste your time by directory bruteforcing” so we need to bypass the 403 Forbidden status code somehow.
what i did at first is i tried couple of ways to bypass the 403 Status Code this github repo was of good use “How To Hunt:Status_Code_Bypass” until i stumpled upon this “403 & 401 Bypasses CheatSheet” and i already tried changing the request methods and the basic http headers like
X-Forwarded-For: and the the site had path protection so adding
X-Original-URL: /admin would be a good choice as the bypasses CheatSheet says.
so the bypass worked by adding the header
X-Original-URL: /admin to our request initialy giving us access to an input that requests a filename by the looks of it with the parameter:
filename= so for this part of the challenge its kinda guessable that the input is vulnerable to LFI the real question is there any filtering?
and the answer to that is yes there is a filter that replaces
../ appearnatly so any payloads that can bypass this filter can work, after trying multiple locations i tried