Attacking VulnRecruitment Part 3

So I was stuck missing flags 1, 3 and 4 last time I tried to attack this CTF. Well I had an idea, I never ran the hashes for the images through Crackstation. This gave me the format of the hash, well actually I already knew this as I saw it in the Discord channel dedicated to helping solve this CTF, but I wanted to find out how someone would learn this.

I get the format, then I start fuzzing but I still fail. It is at this time I notice a new URL, a direct link for the image, I update my command and boom and find the image. I then just try and visit the domain of the storage site, and there is flag 1!

I know flag 3 is still OSINT related, so I take the new image and scan it for EXIF data, I see there is a set of longitude and latitude co-ordinates, I dump them in Google maps and I assume it takes me to Amelia’s neighbourhood. I see a pub on the map and grab the name to see if it is the security question I need, sure enough it lets me in and I get flag 3, only flag 4 remains.

I now can see the uploads page, there I have an option to get the list of files on the upload server. I check the request in my web proxy of choice (Burp) and see that the parameter of the POST request is listing_file=. I decide to see what other files I can get, I send the request to Repeater and see what I can do. The first thing I do is changing the listing file to be flag.txt and the request does not work. Same thing with no parameter passed in or a simple ../.

I remember the admin subdomain and try pass that in, I get a page not found result in the response although the page still loads. I decide to try and fuzz the admin subdomain through the uploads endpoint and it actually works.

I wait for the results, but I get a call from a friend, hopefully I can get back to this one soon. The results come back, I do get some 404s on some .php files, revealing a Nginx 1.18.0 server on Ubuntu, I do not get anything else and I do not find anything in exploit DB which is frustrating.

I start to think about the admin page more and about the directory structure. I try to access the admin page via ../ but no dice.

I try different methods here, but no luck, I try fuzzing for other files and eventually just keep repeating the same test but with different data. I decide to see if anyone has done a writeup and part way through watching this video by Hilbert I realise I missed something, I never fuzzed the upload site. I start running that using FFUF.

ffuf -t 3 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://b38f1-uploads.vulnrecruitment.co.uk/FUZZ -H "Cookie: ctfchallenge=<CTF_CHALLENGE_COOKIE>; token=27e580b47eb12532bfed6380991806a2" -mc all -fc 404

I find the page /redirect and then try and open it, it wants a URL parameter and I guess it is URL, that gives me a different error, it wants the protocol in the URL. I add the http:// and then I get back to the admin page, I was hoping for something different.

I then go back to Burp Repeater and add the URL to the listing file parameter redirect?url=... and then I find flag 4. I will admit I am a little disappointed with having to get hints, but at least I can learn from it in the future.

I am not sure when I will do another CTF as I am currently working on some training with Hack the Boxes Academy, but I look forward to coming back with more knowledge.