That was really cool challenge on 9447 CTF from Web category. Task description:
Nick's been eating your grandmother's strombomi. Head over to http://nicklesndimes-wq3mhu8l.9447.plumbing. Gain access to his admin account.
So the task is to takeover admin account with user_id = 1.
We are able to register new accounts and login (with Remember me functionality) or request for password reset. After digging a bit with password reset I noticed, that reset token is the same for my userid... and it's md5 hash for my team name ;-)
00:31 zoczus@ropchain[~]$ echo -n "zoczus" | md5sum
5580aed6ac917f2cd6fc08c9581e1ca2 -
So we can simply create password reset link for admin user this way: http://nicklesndimes-wq3mhu8l.9447.plumbing/reset_password?action=choose_password&auth_key=21232f297a57a5a743894a0e4a801fc3&id=1
And first problem - we know team name, but what's e-mail to login? Answer can be found by clicking small icon near to Users, which responds with json with scores, and near our admin account we can find additional field called admin_contact ;) Link was: http://nicklesndimes-wq3mhu8l.9447.plumbing/json?view=scoreboard
Got e-mail, got password, challenge solved... nope!
Tried X-Forwarded-for, X-Real-IP for 127.0.0.1 , 10.43.18.4 (from e-mail headers), etc... and then my team mate (thanks Dawid!) gave me idea to try this one:
00:38 zoczus@ropchain[~]$ host nicklesndimes-wq3mhu8l.9447.plumbing
nicklesndimes-wq3mhu8l.9447.plumbing has address 104.28.12.28
nicklesndimes-wq3mhu8l.9447.plumbing has address 104.28.13.28
Setting X-Forwarded-For to 104.28.13.28 gave me this result after login: