Official Weather App Discussion

After countless hours I finally got the flag! Wow, what a journey that box was. So much temptation to look at discussion for hints but I’m proud of myself for doing it on my own. I would not rate this an easy but maybe I’m just a dummy.
Really cool exploit path, I learned a ton.

Can someone give me hint to bypass localcheck ? I tried to add various headers to P*** method but none of them works.

edited: nah, I found it :slight_smile: (removing because of hints)

■■■■ my brains! It took so long to sort out this box … Thanks for the tips above.

I’m having this exact same problem. I am getting the right type of request sent to the right endpoint but I get an exception raised due to req.socket.remoteAddress being undefined during the IP check.

Did anyone else run into this? How did you solve it?

Update: Nevermind, figured it out! Great challenge, I learned a ton along the way.

Hi, I am stucking at re*******ess is undefined, how can I bypass it?

I just realize how to finish this box and I want to give a little clue:
Focus on register function, but not directly.

I’m going crazy here! I know how to get the login working, I just need to be able to bypass the localhost check. I have a few theories, but so far none worked, can somebody give me a hint? is it through proto-p? req smuggle? :frowning:

Hey guys just completed the challenge
{got some help from discord}
Well HINT: Look at the source code of js files carefully
1 > Check the weather for different city and notice what is happening
2 > IMP : Divorces are bad but we kinda need them
3 > Keeping distance is the key

Smuggling is bad {KEEP THE DISTAnCE}

Synonm for Separating

Hello, I send a post request with the right endpoint but it tells me it {error:Couldn’t find Dallas or Us}" Which are the city name and country,any help?

I’m trying to work on bypassing localhost checking on /rr. Is SF on /a/w***r the way to go? Seems like the wrong type of request…

Your comments have just confused me more :sweat_smile:

I am also facing the issue where the socket IP is somehow undefined. Tried many headers but it does not seem to work… Can anyone provide me with a nudge?

That really was harder than I thought, still stuck, some hints guys.
what I already found:
SQL injection vulnerability in the /register POST end point.
I think there is also some way to exploit the weather helper too, but I have no Idea how?, sending requests? injecting something to the url?

for those who having “undefined” problem:
Not every character is accepted
try to run proof of concept on your machine and enter your query there.
also 2 in not al limit. there can me more

hope this helps

Hi. I’m stuck with endpoint line.
I got a feeling that I’m almost there.
Anyone can nudge me in the right direction?


i am new to challenges. I have downloaded the file but not able to figure out what to do…