Attacking VulnRecruitment Part 2

This is part 2 of my attempts of attacking VulnRecruitment, to see what I have tried so far see Part 1.

So I look over my notes from last time and I realise I should try and look at expanding my target scope via DNS records. I run the command nslookup -type=any vulnrecruitment.co.uk 8.8.8.8 and I find what could be the hostmasters email address. I then run dnsrecon -d vulnrecruitment.co.uk -D ~/wordlists/subdomains.txt -t brt to see if I get any more results.

The difference between nslookup and dnsrecon gives me different results, nslookup simply queries domain name servers for information about the given URL, in this case I query Googles DNS. Dnsrecon allows me to enumerate for more subdomains based on the input file I give it, in this case dnsrecon gives me the admin URL, score.

I open up Burpsuite, which now I have the pro version which work has given me, might as well use it to help me be a better App Sec Engineer. I open up the admin portal and have a quick look but I get a response of ["You are not allowed access from this IP address"], I kinda was hoping for the flag that I missed earlier. I quickly visit crt.sh and check for more data but no dice.

I decide to try and see if I can enumerate some directories, pages or endpoints, ffuf comes to my aid again and I run ffuf -t 3 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://admin.vulnrecruitment.co.uk/FUZZ -H "Cookie: ctfchallenge=<COOKIE> -mc all -fc 404.

While that runs, I decided to fuzz more of the staff login portal I do have access to by adding the access token for when I am logged in with the users credentials I was able to brute force from part 1. I log back in and grab the cookie I need and then run ffuf -t 3 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://vulnrecruitment.co.uk/staff/portal/FUZZ -H "Cookie: ctfchallenge=<COOKIE>; token=<AUTH-TOKEN> -mc all -fc 404.

I am getting no where, no results for the above fuzzing scan, I tried working around the IP restriction for accessing the admin portal but no luck. I try SQL injection on the security question for the user that we found that took up ID 3, but no luck. I try taking the token for the user I can login with, passing it into crack station to try and figure if it is something I can control, but yet again, no luck.

I remember about the photos on the staff page, maybe the pub name is in there, but no luck. I decide to try and find the image for the missing staff member, I guess I need to find out method for creating the hash. I am still stumped after seeing if the hash is created by different parts of the name, so I decide to look at previous posts about flag 3 in the CTF Challenge Discord. A few of the comments mention the hash is made up via a time stamp, so I decide to look at the metadata in the images to confirm. Yet again, no luck.

I see the hint in the Discord about how this flag is related to OSINT, probably getting the pub name from somewhere but I am still having no luck. I decided to try and use mosint. Mosint is failing to execute due and to be honest I can not be bothered to find out why it is failing.

I decide to call it quits for today, I did not get very far, I only found a new subdomain, but I think I need to come back at it with fresh eyes.