http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php In the response from the server a comment can be found which contains the link where the flag might be: The request type is “GET” and it has one parameter named “url”. /index.php?url=websiteToVisit The value of the “url” parameter is filtered. The server doesn’t accept words such as:“php”, "//", “127.0.0.1”, “58.229.183.24” as values. If the value sent to the server matches one of the words above the following message is retrieved as response: {{ :writeups:wp1.png?nolink |}} After a little research I found out that it can be possible to use the other three representations of an IP. I made a script that transforms an IP in DWORD, HEXA and OCTAL representations and below is our way to bypass IP. {{ :writeups:wp2.png?nolink |}} But there was one more problem: how to bypass the word “php”. The solution was simple. I used it plenty of times to bypass XSS filteres: I used double URL encoding to write the world “php” as “%2570hp” or “ph%2570”, etc. Knowing how to bypass the filter in the backend I made the following value which I inserted in the url parameter: /index.php?url=2130706433/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/index.ph%2570 The response was 200 ok, but it wasn’t the entire response. {{ :writeups:wp3.png?nolink |}} As it can be seen, only a part of the response was revealed, only 2 lines. So I verified if it is possible to insert other parameters in the request header. I tried with “%0d%0a” and it worked. So I attached to my url the following: %20HTTP/1.1%0D%0AHost:%20localhost%0D%0ARange:%20bytes=370-420%0D%0A%0D%0A The response from the server was: I changed the word “localhost” with “hackme” and I decreased the range. %20HTTP/1.1%0D%0AHost:%20hackme%0D%0ARange:%20bytes=76-110%0D%0A%0D%0A Then I sent the following request: /index.php?url=2130706433/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/index.ph%2570%20HTTP/1.0%0D%0AHost:%20hackme%0D%0ARange:%20bytes=76-110%0D%0A%0D%0A And in the response was our flag: Password is WH0_IS_SnUS_bI1G_F4N {{ :writeups:wp4.png?nolink |}}