Health care
Description
You finally come across a unique health care application. Everyone has tried their best to get info from it, but no one has been able to get anything useful. It always makes silly excuses. Can you help us?
Solution
Upon launching the application, we were greeted with a familiar login button, leading us to a portal guarded by credentials. Employing the default admin credentials (admin:admin), we gained access to the inner sanctum.
Our journey took an intriguing turn upon discovering a tantalizing option labeled “Flag” in the sidebar. However, our initial attempts were thwarted with a terse message, “No Flag For You!”
Undeterred, we turned to BurpSuite, a tool renowned for its prowess in dissecting web requests. Through meticulous analysis, we uncovered a series of security checks meticulously woven into the application’s fabric.
Our first hurdle involved masquerading our browser identity as “pentabrowser,” a phantom entity seemingly unknown to the digital world. By manipulating the User-Agent header, we seamlessly bypassed this obstacle.
Yet, our progress was impeded once more by a cryptic error message: “Access denied. You are not coming from our local server.” Unraveling this enigma revealed the application’s reliance on the Referer header. By setting it to “http://localhost," we seamlessly circumvented this defense mechanism.
However, the application’s guardians remained vigilant, hurling yet another challenge our way: “Access denied. Please use a proxy, your request should originate from 169.172.18.9.” Undeterred, we wielded the X-Forwarded-For header as our weapon of choice, masking our origins with precision.
With each hurdle cleared, our resolve only grew stronger. As we pressed on, we encountered further trials, each requiring adept manipulation of HTTP headers. From satisfying proxy server requirements with the Age header to orchestrating a symphony of requests, our journey was fraught with challenges.
Yet, our perseverance bore fruit as we finally beheld the elusive flag, a testament to our unwavering determination and ingenuity.
Flag:
With triumph coursing through our veins, we proudly present the coveted prize:
flag{y2046dp5i0Td0M4K1coBMQ==}
In conclusion, our expedition through the labyrinthine depths of this health care application stands as a testament to the power of perseverance, resourcefulness, and a dash of technical wizardry.
