Official Weather App Discussion

After countless hours I finally got the flag! Wow, what a journey that box was. So much temptation to look at discussion for hints but I’m proud of myself for doing it on my own. I would not rate this an easy but maybe I’m just a dummy.
Really cool exploit path, I learned a ton.

Can someone give me hint to bypass localcheck ? I tried to add various headers to P*** method but none of them works.

edited: nah, I found it :slight_smile: (removing because of hints)

Fuck my brains! It took so long to sort out this box … Thanks for the tips above.

I’m having this exact same problem. I am getting the right type of request sent to the right endpoint but I get an exception raised due to req.socket.remoteAddress being undefined during the IP check.

Did anyone else run into this? How did you solve it?

Update: Nevermind, figured it out! Great challenge, I learned a ton along the way.

Hi, I am stucking at re*******ess is undefined, how can I bypass it?

I just realize how to finish this box and I want to give a little clue:
Focus on register function, but not directly.

I’m going crazy here! I know how to get the login working, I just need to be able to bypass the localhost check. I have a few theories, but so far none worked, can somebody give me a hint? is it through proto-p? req smuggle? :frowning:

Hey guys just completed the challenge
{got some help from discord}
Well HINT: Look at the source code of js files carefully
1 > Check the weather for different city and notice what is happening
2 > IMP : Divorces are bad but we kinda need them
3 > Keeping distance is the key

Smuggling is bad {KEEP THE DISTAnCE}

Synonm for Separating

Hello, I send a post request with the right endpoint but it tells me it {error:Couldn’t find Dallas or Us}" Which are the city name and country,any help?

I’m trying to work on bypassing localhost checking on /rr. Is SF on /a/w***r the way to go? Seems like the wrong type of request…

Your comments have just confused me more :sweat_smile: