Attacking VulnTraining Part 2

So back to trying to complete VulnTraining from CTF Challenge which I started yesterday, but this time I am sitting down to focus and not trying to complete chores at the same time. I start by reviewing my mind map and decide that my best bet is the billing subdomain which I know has a login page from yesterdays fuzzing.

I fire up Burp Suite to proxy all my traffic and be able inspect it all and open up the billing subdomains login page. I pass in a username and password I use to check the error messages and get an interesting response Username is invalid. This immediately tells me I should be able to enumerate usernames and then possibly passwords. I turn to ffuf again, I could use Burp Intruder but I know how to rate limit ffuf but not Burp off the top of my head.

I run ffuf -t 1 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/usernames.txt -X POST -u http://billing.vulntraining.co.uk/login -H $CTF_CHALLENGE_COOKIE -H "Content-Type: application/x-www-form-urlencoded" -mc all -fr "Username is invalid" -d "username=FUZZ&password=asdf" and I let that fuzz away as I go get some lunch.

I come back to disappointment, not usernames found, I plug it into Burp after re-learning how to rate limit and try again. Yet again nothing comes back, I decide to try SQL injection but again nothing comes back. I admit I am stumped and I decide to go back to the GitHub repo to see if there is another repo in the organisation and right there, I find a flag I missed in the the description. I enter that in and I get flag 6.

I run out of time here, did not make as much progress as I would of liked, but happy I found a missed flag.