Attacking VulnRecruitment Part 1
So I have been trying out a bunch of CTFs from CTF Challenge created by Adam Langley, so far I have done VulnBegin CTF, followed by VulnLawyers and VulnForum. Today I am going to start looking at VulnRecruitment and jotting down what I do, not only if it works but if it fails.
CTF Challenge is free, with some challenges requiring a one time payment to get access, I am planning on paying once I have completed the free ones. I really recommend CTF Challenge, it is based on real world experiences and is inexpensive at £20.00
Starting out
First thing I am going to do is run ffuf to try and find some more content, I am using the wordlists provided by CTF Challenge which is great as it saves time, knowing if the value is not in any of those, it is not in the CTF. I run the following: ffuf -t 3 -p 0.08 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://vulnrecruitment.co.uk/FUZZ -H "Cookie: ctfchallenge=<YOUR_COOKIE_HERE>" -mc all -fc 404
Breaking that command down, I have three threads with a 0.08 second delay to make sure I do not go over 10 requests per second, using the content word list and appending it after the URL http://vulnrecruitment.co.uk.
As I wait for that I am going to explore the site via Burp Suites proxy so I can capture and review all traffic later, making sure to set the cookie in the project options. Eye balling the site, there are two pages I can see, Home and Staff Members. The home page has an image and some text, I am not seeing any user inputs and after checking the staff members page it pretty much is the same. The difference is on the staff members page, I can view the profile of each staff member, which includes each of their emails, win I have half of the puzzle if I find a login form, meaning I may be able to brute force the passwords.
I come back and check on the ffuf scan, seems I have been breaching the request limits, time to drop it down a bit, I am going to increase the delay to 0.1 leaving me with around 7 requests a second.
I go back to each of the three staff members profiles and I grab the email, I also notice that the third profile has the numeric ID of 4, meaning there may be another profile somewhere. I hover over the links to the staff pages and notice the profile with the ID of 3 is missing, I try and access it and I am greeted with Staff Member no longer works for VulnRecruitment. I make a note, maybe if I find the account they may not have disabled the login.
I go back to the home page and I open up the source code for the site, nothing major sticks out, it looks to use Bootstrap, it imports JQuery and has a base64 encoded blob as a background image, I move on to the staff members page and do the same. Pretty much same crap, different page but then I notice the thumbnails for the staff take an ID parameter that looks like a hash value.
FFUF has finished, I have three results css, js and staff which I already know about. I check the staff profile pages to see if anything else catches my eye and nothing does apart from the ID parameter again, I open the URL for an image in a new tab as I get ready to play around and then I perform another ffuf scan for directories under /staff ffuf -t 3 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://vulnrecruitment.co.uk/staff/FUZZ -H "Cookie: ctfchallenge=<YOUR_COOKIE_HERE>" -mc all -fc 404
I start playing around with the ID parameter on http://vulnrecruitment.co.uk/staff/1/image?id=955dc852b26e9375c7b7858b438f80f6 performing the following
- deleting ID = an empty 16px square
- trying
id=955dc852b26e9375c7b7858b438f80f6asdfasdfas= another empty square - trying
id=../= more empty squares - trying
id=../../../= not sure what I expected, but more empty squares - trying the ID from a different staff member = another empty square, it looks like the ID is unique to the URL including the staff member ID
I quickly check back on ffuf, a bunch of hits on numerals, but it only shows the response code and size. I decided to check on what the page says for user id 2000 and I am surprised to find a different message stating Staff Member ID is invalid which leads me to start another ffuf scan after the current one finishes, filtering out any response that has the member ID is invalid text which would allow me to see more member IDs that I may be able to access later.
The /staff scan finished and I have a new path /staff/portal, I start a new scan to get all of the possible staff IDs using ffuf -t 2 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/1to100.txt -u http://vulnrecruitment.co.uk/staff/FUZZ -H "Cookie: ctfchallenge=<YOUR_COOKIE_HERE>" -mc all -fr "Member ID is invalid" -fc 404 to see if there are any other staff IDs and then open up /staff/portal in Burp.
Portal gives me a login page, that is great, it means I can possible brute force my way in, but before that I decide to open the source code, I can see that there is a POST endpoint for login, with it being /staff/portal/login, from that I decide to run another ffuf content scan on /staff/portal: ffuf -t 3 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://vulnrecruitment.co.uk/staff/portal/FUZZ -H "Cookie: ctfchallenge=<YOUR_COOKIE_HERE>" -mc all -fc 404
Since CTF Challenge with return 429 if I send too many requests, I decide to wait for the previous scan to finish before I start to think about trying to brute force passwords and I quickly check there is no user with the ID of 0 in case I missed it. The scan on /staff/portal gives me a /login, /logout and a /uploads result, I wonder if the /uploads is where the staff profile images are stored, but anyway I decide to start cracking.
I start with a basic logon attempt with credentials I think should not work, username test and password test which to no surprise returns Invalid email / password combination. I decide to enter in a known email and no password, the email being jacob.webster@vulnrecruitment.co.uk which I get a different response of User not does have online access which is interesting, so I try the other two emails. The only email that does not return no online access is archie.bentley@vulnrecruitment.co.uk, so I guess that is who we are trying to brute force their password.
I use ffuf -t 3 -p 0.1 -X "POST" -w ~/ctfs/ctfchallenge/wordlists/passwords.txt -H "Content-Type: application/x-www-form-urlencoded" -u http://vulnrecruitment.co.uk/staff/portal/login -d "email=archie.bentley@vulnrecruitment.co.uk&password=FUZZ" -H "Cookie: ctfchallenge=<YOUR_COOKIE_HERE>" -fr "Invalid email / password combination" and quickly get a password back, I try and login and then I am greeted by another blocker, MFA stating We've sent a 4 digit code to your mobile, you have 3 attempts to enter it below to continue.
Not happy to get another thing in the way, especially with only three attempts but after checking the request for MFA, I can see that the number of failed attempts is dictated by the client, which means yet again more brute forcing. I add the updated params and ffuf goes to work while I order dinner. The command I executed was ffuf -t 3 -p 0.1 -X "POST" -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -H "Content-Type: application/x-www-form-urlencoded" -u http://vulnrecruitment.co.uk/staff/portal/login -d "email=archie.bentley@vulnrecruitment.co.uk&password=<PASSWORD>&attempt=1&otp=FUZZ" -H "Cookie: ctfchallenge=<YOUR_COOKIE_HERE>" -fr "Invalid 4 digit security code"
I get the MFA code and manage to login, finding my first flag, which is actually flag 2, so therefore I have missed something. I decide to push on and try and find flags 3 and 4.
I am shown a page with some messages about a staff member who have left, which I assume is the user with the ID is 3. There is also an upload tab which is only accessible to admins. I take the new email and try and brute force the password for that email and get the password, only to be blocked by a security question of amelia.nixon@vulnrecruitment.co.uk. I decide to go back to the first account to see if I can find any info on the pub but find nothing, I decide to turn to OSINT, or open source intelligence.
I run a tool called socialscan but I get no results, dang. Understandably there are so many options I am at a bit of a loss. At this point it is late in the evening, I am tired and my order of food got cancelled, so I decide to call it a night.