CTFtime.org / DownUnderCTF 2021 (Online) / Inside Out / Writeup

Rating:

Main page:

![image](https://user-images.githubusercontent.com/80063008/137881634-5f717dd4-7532-444b-ab89-5424bdfde9eb.png)

Source code reveals /admin and an endpoint that can be abused

![image](https://user-images.githubusercontent.com/80063008/137881666-76a0ce73-de11-4e13-bba8-6f4400a86e21.png)

/request?url=http://localhost/admin says it's blacklisted

![image](https://user-images.githubusercontent.com/80063008/137881716-68143fc4-9eaa-4fd2-98cd-d46866ba3b65.png)

So I bypassed it using the link below:

https://web-inside-out-b3d9f3b9.chal-2021.duc.tf/request?url=http://0/admin

DUCTF{very_spooky_request}