Avatar

Labs / IP Spoofing Admin

  • Daily Challenge
  • Released 28 Aug 2025

🚨 This admin portal thinks it's safe behind IP restrictions.

A corporate admin portal stands locked behind what seems like impenetrable IP-based security. But every fortress has its weakness, and this one might not be as secure as it appears. 🎭 Can you find a way to convince the system that you belong on the inside?

1
Flags
1
Points
Daily Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Daily Challenge

🌐 IP Spoofing Admin Portal - Complete Penetration Testing Solution

Objective: Conduct a security assessment of TechCorp Solutions' web application to identify and exploit IP-based access control vulnerabilities, ultimately gaining unauthorized access to the admin portal and retrieving the system flag.
🔍 Step 1: Understanding IP-Based Access Controls

IP-based access control is a security mechanism that restricts access to resources based on the client's IP address. While this can be effective in controlled environments, it has several inherent weaknesses including IP spoofing, proxy chains, and header manipulation vulnerabilities.

🔍 Step 2: Initial Reconnaissance and Web Application Mapping

Begin systematic reconnaissance by visiting <target-ip> and exploring all available pages (Home, About, Services, Contact). Attempt to access /admin directly to confirm IP-based restrictions are in place. Note the 403 Forbidden response and that your current IP is displayed on the error page, indicating the application tracks and validates IP addresses.

🔍 Step 3: Directory Discovery and Enumeration Techniques

The key to finding hidden directories like /logs/ lies in systematic directory enumeration. Professional penetration testers use several approaches:

Manual Directory Guessing

Start with common directory names that web applications often expose:

  • /logs/ - Server and application logs
  • /config/ - Configuration files
  • /backup/ - Backup files
  • /admin/ - Administrative interfaces
  • /test/ - Testing directories
  • /dev/ - Development files

Method: Simply navigate to <target-ip>/logs/ in your browser

Automated Tools

Professional tools for directory enumeration:

  • Dirb: dirb http://<target-ip>
  • Gobuster: gobuster dir -u http://<target-ip> -w /path/to/wordlist
  • Dirsearch: dirsearch -u http://<target-ip>
  • Feroxbuster: feroxbuster -u http://<target-ip>

Advantages: Comprehensive, fast, uses extensive wordlists

Browser-Based Discovery

Simple browser techniques:

  • URL Guessing: Try common paths manually
  • Error Analysis: Look for clues in error messages
  • Source Code Review: Check HTML source for hidden links
  • Robots.txt: Check /robots.txt for disallowed paths

Method: Navigate directly to suspected directories

🔍 Step 4: Discovering the /logs/ Directory

When you navigate to <target-ip>/logs/, you'll discover that the web server has directory listing enabled, revealing multiple log files:

Security Misconfiguration Identified

The server is configured to allow directory browsing, which is a significant security vulnerability. This exposes sensitive files that should never be publicly accessible.

Files Discovered in /logs/:

  • access.log - Web server access logs containing all HTTP requests
  • error.log - Application error logs with admin login events
  • security.log - Security-specific events and authentication logs
🔍 Step 5: Professional Directory Enumeration with Tools

In a real penetration test, you would use automated tools to ensure comprehensive coverage:

Using Gobuster (Recommended)
# Basic directory enumeration
gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirb/common.txt

# More comprehensive scan
gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,log

Expected Output: Would reveal /logs/, /config/, and other directories

Using Dirb (Alternative)
# Standard dirb scan
dirb http://<target-ip>

# Custom wordlist
dirb http://<target-ip> /usr/share/wordlists/dirb/common.txt

Expected Output: Similar results showing accessible directories

🔍 Step 6: Log Analysis and Pattern Recognition

Systematic analysis of the exposed log files reveals the authorized admin IP address is 192.168.1.100:

access.log Analysis

Look for HTTP 200 responses to /admin:

192.168.1.100 - - [27/Aug/2024:08:15:32 +0000] "GET /admin HTTP/1.1" 200
error.log Analysis

Search for admin login events:

[2024-08-27 08:15:32] INFO: Admin login successful from 192.168.1.100
security.log Analysis

Examine security events:

2024-08-27T08:15:32Z [SECURITY] Admin authentication successful - IP: 192.168.1.100
🔍 Step 7: Understanding the X-Forwarded-For Vulnerability

The application's vulnerability lies in its trust of the X-Forwarded-For HTTP header. This header is used by proxies to preserve original client IP addresses but can be easily manipulated by clients, making it unreliable for security decisions.

🔍 Step 8: Exploitation Techniques

Use cURL: curl -H "X-Forwarded-For: 192.168.1.100" http://<target-ip>/admin or Burp Suite to intercept and add the header, or browser extensions to modify headers. All methods involve adding X-Forwarded-For: 192.168.1.100 to spoof the authorized IP address.

🔍 Step 9: Successful Exploitation and Flag Retrieval

Upon successful exploitation, the admin portal displays a welcome message, confirms access from IP 192.168.1.100, and reveals the system flag. The vulnerability demonstrates complete bypass of IP-based access controls through header manipulation.

Real-World Application: Directory enumeration is a fundamental reconnaissance technique used in every professional penetration test to discover hidden resources, configuration files, and sensitive data that organizations inadvertently expose.