- First, we started by exploring the main domain VulnRecruitment and we only found this
- Subdomain discovery
- Using dnsrecon:
dnsrecon -d vulnrecruitment.co.uk -D ~/wordlists/subdomains.txt -t brt
- Resulted in
A admin.vulnrecruitment.co.uk 68.183.255.206
- Resulted in
- Searching on crt.sh
- Nothing found
- Using dnsrecon:
- Investigated this admin interface and found that it is not accessible from my IP address\
nmap
ed the TCP ports usingnmap -sC -sV 68.183.255.206
and the UDP ports usingsudo nmap -sU 68.183.255.206
of the IP address but found nothing of interest- It seems that the IP is blocked by a WAF, so maybe we can bypass it by adding some headers (X-Forwarded-For, X-Originating-IP, X-Remote-IP, X-Remote-Addr)? Tried inserting some headers but it seems that the answer is no\
- Content discovery on www.vulnrecruitment.co.uk
- While discovering this
staff/1
,staff/2
, etc.. I triedstaff/3
and this showed\ So there must be something to do with this member - Going back to
admin.vulnrecruitment.co.uk
, I tried toping -c 4 www.vulnrecruitment.co.uk
and it turned out that the 2 subdomains are hosted on the same server\ This may be a HTTP Host Header Attack?? Tried changing the host of some of the requests but the answer seems to be no - Going back to the
nmap
of the server, the TCP mapping showed the version of the running web server\ So this may have a disclosed vulnerability? It has many but I can't find one of use - Tried finding a SQL injection vulnerability in the
/staff/{staff_id}/image?id={id}
and found this response\ - Visited b38f1-uploads.vulnrecruitment.co.uk and found that it is file storage engine of the domain\ Found Flag 1
- Found an open redirection at this google searchbut found it useless in any way but when accessing the
uploads/
URL I found an error showingnginx/1.15.8
but in the response the server isnginx/1.21.1
\ So this may have something?? - I searched for any disclosed vulnerabilities for
nginx/1.21.1
ornginx/1.15.x
and found thatnginx/1.15.0-12
may have a HTTP Request Smuggling Vulnerability\ - So I read a report from Bert JW Regeer and tried to do request smuggling but only the
403 Forbidden
error appeared\
- Found an open redirection at this google searchbut found it useless in any way but when accessing the
- When checking for the link
/staff/3/image?id={image_id}
I removed then it said that the id must be there, then when inserting it again it showedStaff Member is no longer active
, so we maybe using this in some way? Image id validation happens before checking the user id - Going back to the
/staff
endpoint, we do a deeper level of content fuzzing and see what happens\ So we find this/portal
under/staff
and we go examine it - This
/staff/portal
redirects me to/staff/portal/login
which is a login forum with a username and password input fields\- First, we do use the emails we found under
/staff/1
,/staff/2
and/staff/4
to do some password bruteforcing - Tried with the first user
[email protected]
but gotUser not does have online access
(Yes with this faulty grammar)\ - Found that only user
archie.bentley%40vulnrecruitment.co.uk
receives errorInvalid email / password combination
so we are going to bruteforce his password usingffuf
\ - Logged in as
[email protected]:thunder
and a code was sent to my mobile that consists of 4 digits!\ - When we try for more than 3 times we get this error message\ but when we look at the burp request we find an
attempt
parameter that when we fix it toattempt=1
we can try as muchotp
s as we can - Now we bruteforce the OTP code, found a working otp
3798
the redirected me to/staff/portal
with atoken
cookie\ - It got authenticated and we see this\ (Found Flag 2)
- First, we do use the emails we found under
- After logging in, we find this message that was sent from
archie
toamelia
sayingAll the best on your last day at work, you will be missed from the team
! So this means that this is/staff/3
. So I tried to login with her email and found errorInvalid email / password combination
\ \ Thus, her account may still be there!- Tried brute bruteforcing its password and Voila! We have valid credentials
[email protected]:zxcvbn
\ - Logged in with these credentials but another authentication method appeared! \
- Thought of bruteforcing this but I have no list to bruteforce with!
- Tried brute bruteforcing its password and Voila! We have valid credentials
- Going back to user
[email protected]
, I tried to access/staff/portal/uploads
but it is only an admin content. So I tried to bruteforce the endpoint but only404
responses showed for some endpoints \ \ But I didn't know what to do with any of it - I went to
http://b38f1-uploads.vulnrecruitment.co.uk/uploads/
and tried to fuzz for any deeper endpoints under/uploads
(because maybe I am missing something) but found nothing - Also, tried to search for any endpoints under
http://admin.vulnrecruitment.co.uk/
because I noticed when I gave it a random endpoint it gives back a404
status code, so maybe if we bruteforced we get something other than this404
? but nothing showed other than/css
and/js
endpoints with301
status \ - Going back to the local pub we need to get in order to login into
[email protected]
's account, it says local pub, so maybe we can know her location then we get a list of the local pubs near her?- The only way we can get her location is through social media, but there are a lot of accounts with her name, so we need to narrow down our search space
- Maybe we can search with an image of her (using Google Image)? Images are hashed, and from the Storage Server we found (Step 11), we can bruteforce the hash of
amelia
's user. But what is the hash based upon? - We can go to Crackstation and see what shows when we submit the hash of
archie
(He is the only one from the 3 users that has an online account) and Voila! \ - It is time in the format
hh:mm
, and we validated through terminal \ \ and we have the format of the image in theb38f1-uploads.vulnrecruitment.co.uk
storage website as{userID}_{timeHash}.jpg
so we create a script that MD5-hashes all the values from00:00 to 23:59
then append each one of them toamelia
's ID (which is 3) then append.jpg
in the end and send a request and shows responses of200
HTTP status code - Wrote a script that generates all day hours in a file
dayHours.txt
then generates all their MD5 hashes in a filedayHoursMD5.txt
\ - Then we ran
ffuf
against the hashes list. If we had a value that got us200
HTTP status code, and we found it! \ \ and we find this picture! \ - Searched about this photo in multiple Reverse Image Searches like
google
,bing
andyandex
but found nothing. Also, tried multiple social media applications likefacebook
,linkedin
,twitter
and others but also found nothing! - We can use
exiftool
tool to look at the metadata of the image as we may find some useful data. And we found GPS coordinates! \ - We search by these coordinates and we find that it is located Burnhan-on-Crouch CM0 8HR, United Kingdom! \
- Searched for local pubs near this place and found some pubs like The Queens Head, Bar 3 and The New Welcome Sailor
- Tried The New Welcome Sailor and it has successfully logged us in! \ \ Found Flag 3
- After clicking on this
Uploads
tab and monitoring the request, I found that it has aPOST
parameter calledlisting_file
and when changing the value of this parameter to, e.g.,admin.php
, it has an HTML response as if the backend system has made a requesthttp://someurl/admin.php
. So I think it is an SSRF \ - Removed
admin.php
and found the response ofhttp://b38f1-uploads.vulnrecruitment.co.uk/
so this is the website that it requests but remember, from Step 11, we found an open redirection vulnerability which redirects us tohttps://google.com
. So I tried this:listing_file=redirect?url=https://example.com
and Voila! We have Example.com in our response. This is means that the backend has followed the redirection header! \ - Thus, we tried to request
http://admin.vulnrecruitment.co.uk
and yes, we found the last flag \ \ Found Flag 4