Attacking VulnTraining Part 4

I decide as I watch the build up to Queen Elizabeth’s funeral, to see if I can find more flags in VulnTraining.

I start by fuzzing the admin subdomain for directories trying to bypass the unauthorised page using ffuf -t 4 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://admin.vulntraining.co.uk/FUZZ -H Cookie: $CTF_CHALLENGE_COOKIE -mc all -fc 404. This does not return me anything, so I decide to try and use the same technique I used to get past the server login page, yet again no luck, I am stumped.

I decide to try and see if there is a deeper nested subdomain by running ffuf -t 4 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/subdomains.txt -u http://FUZZ.admin.vulntraining.co.uk -H $CTF_CHALLENGE_COOKIE -mc all -fc 404 but yet again nothing is found. I decide to try one more attempt at finding subdirectories, this time by using the response size using ffuf -t 4 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://admin.vulntraining.co.uk/FUZZ -H $CTF_CHALLENGE_COOKIE -mc all -fr 16. Yet again, nothing. I decide to try and use the random subdomain I found from before as the X-Forwarded-For and Referrer headers, but this does not expose anything else.

Since the admin subdomain is not being fruitful, I decide to go back, making the assumption that flag 3 which I have not yet found, is somewhere to be found. I start by trying to find a nested subdomain, but I am not overly confident in finding anything. I also start reading the code in the GitHub Repository, trying to find any logic flaws, this is tedious but I do find something to play with. There is a line <h1><?php echo $data["h1"]; ?></h1> which indicates to me that somewhere there is a XSS vulnerability at a minimum, but triggering it is something I have not found yet.

The other interesting piece is that there is a line which sets the header of the page <?php header("HTTP/1.0 404 Not Found"); ?>. This header function sets the response to be 404 not found by default. I therefore think that this framework does not apply to vulntraining.co.uk but another one of the subdomains. There is also a redirect function as well setting the header Location: ${TARGET_URL}.

I start trying to see if any of the known subdomains accept parameters such as redirect and h1, but no luck. I decided to continue on the line of thinking of parameters, attempting to FUZZ for some using ffuf -t 4 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/parameters.txt -u http://admin.vulntraining.co.uk\?FUZZ\=true -H $CTF_CHALLENGE_COOKIE -mc all -fc 401. No luck on that one, but I decide to call it a night with no flags found. I do however decide to take a quick look through the CTF Challenge Discord server to get any clues, as I am not finding anything.

EDIT: I found one clue of “check the source code of the home page” in the Discord server after publishing for flag 3. I went back and found something, when looking at external assets I see that the image for the home page is loaded from an AWS S3 bucket, which find out is public. I then open the root of the bucket and see there is a file called flag.txt, which holds flag 3. Lesson learnt, check where everything is being loaded from, not just scripts.