After countless hours I finally got the flag! Wow, what a journey that box was. So much temptation to look at discussion for hints but I’m proud of myself for doing it on my own. I would not rate this an easy but maybe I’m just a dummy.
Really cool exploit path, I learned a ton.
Can someone give me hint to bypass localcheck ? I tried to add various headers to P*** method but none of them works.
edited: nah, I found it 
(removing because of hints)
■■■■ my brains! It took so long to sort out this box … Thanks for the tips above.
I’m having this exact same problem. I am getting the right type of request sent to the right endpoint but I get an exception raised due to req.socket.remoteAddress being undefined during the IP check.
Did anyone else run into this? How did you solve it?
Update: Nevermind, figured it out! Great challenge, I learned a ton along the way.
Hi, I am stucking at re*******ess is undefined, how can I bypass it?
I just realize how to finish this box and I want to give a little clue:
Focus on register function, but not directly.
I’m going crazy here! I know how to get the login working, I just need to be able to bypass the localhost check. I have a few theories, but so far none worked, can somebody give me a hint? is it through proto-p? req smuggle? 
Hey guys just completed the challenge
{got some help from discord}
Well HINT: Look at the source code of js files carefully
1 > Check the weather for different city and notice what is happening
2 > IMP : Divorces are bad but we kinda need them
3 > Keeping distance is the key
Smuggling is bad {KEEP THE DISTAnCE}
Synonm for Separating
Hello, I send a post request with the right endpoint but it tells me it {error:Couldn’t find Dallas or Us}" Which are the city name and country,any help?
I’m trying to work on bypassing localhost checking on /rr. Is SF on /a/w***r the way to go? Seems like the wrong type of request…
Your comments have just confused me more 
I am also facing the issue where the socket IP is somehow undefined. Tried many headers but it does not seem to work… Can anyone provide me with a nudge?
That really was harder than I thought, still stuck, some hints guys.
what I already found:
SQL injection vulnerability in the /register POST end point.
I think there is also some way to exploit the weather helper too, but I have no Idea how?, sending requests? injecting something to the url?
HELPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
for those who having “undefined” problem:
Not every character is accepted
try to run proof of concept on your machine and enter your query there.
also 2 in not al limit. there can me more
hope this helps
Hi. I’m stuck with endpoint line.
I got a feeling that I’m almost there.
Anyone can nudge me in the right direction?
Thanks.
i am new to challenges. I have downloaded the file but not able to figure out what to do…