NCS Competition 2021 Writeup
  • HHousen National Cyber Scholarship Competition 2021 Writeup
  • Forensics
    • FE02 - 100pts
    • FE03 - 100pts
    • FH01 - 500pts
    • FE04 - 100pts
    • FM01 - 250pts
    • FM02 - 250pts
    • FM03 - 250pts
    • FE01 - 100pts
  • Crypto
    • CM01 - 250pts
    • CM02 - 250pts
    • CX01 - 1000pts
    • CH01 - 500pts
    • CH02 - 500pts
  • Binary
    • BM01 - 250pts
    • BM02 - 250pts
    • BM03 - 250pts
    • BX01 - 1000pts
    • BX02 - 100pts
    • BE01 - 100pts
    • BE02 - 100pts
    • BH01 - 500pts
  • Networking
    • NM01 - 250pts
    • NE01 - 100pts
  • Web
    • WX01 - 1000pts
    • WE01 - 100pts
    • WE02 - 100pts
    • WH01 - 500pts
    • WH02 - 500pts
    • WM01 - 250pts
    • WM02 - 250pts
    • WM03 - 250pts
    • WM04 - 250pts
    • WM05 - 250pts
  • Challenge Name
Powered by GitBook
On this page
  • Briefing
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Web

WH01 - 500pts

PreviousWE02 - 100ptsNextWH02 - 500pts

Last updated 4 years ago

Was this helpful?

Briefing

Access the site at and find a way to get the flag from the CMS.

Solution

  1. Since the website looks pretty empty we can try some directory busting: gobuster dir -u https://cfta-wh01.allyourbases.co/ -t 200 --exclude-length 16 --extensions txt,html -w /usr/share/wordlists/dirb/common.txt. We use the common dirb list included with Kali and also check for files with txt or html extensions.

    gobuster output:

     [+] Url:                     https://cfta-wh01.allyourbases.co/
     [+] Method:                  GET
     [+] Threads:                 200
     [+] Wordlist:                /usr/share/wordlists/dirb/common.txt
     [+] Negative Status codes:   404
     [+] Exclude Length:          16
     [+] User Agent:              gobuster/3.1.0
     [+] Extensions:              txt,html
     [+] Timeout:                 10s
     ===============================================================
     2021/04/08 19:43:11 Starting gobuster in directory enumeration mode
     ===============================================================
     /admin.html           (Status: 304) [Size: 0]
     /index.html           (Status: 200) [Size: 616]
     /index.html           (Status: 200) [Size: 616]
     /readme.txt           (Status: 200) [Size: 154]
     /soap                 (Status: 200) [Size: 0]  
    
     ===============================================================
     2021/04/08 19:43:23 Finished
     ===============================================================
  2. We find an interesting /admin.html file, which is empty, and /readme.txt. /readme.txt says the following:

     To use the CMS make sure to visit /admin.html from allowed IPs on the local network.
    
     Note: Tell engineering to stop moving the subnet from 192.168.0.0/24
  3. So, /admin.html only works when a request comes from an IP on the local network. It's possible that the service is simply checking the X-Forwarded-For HTTP header so let's try that.

  4. We can use a Python to loop through every possible IP and make a get request with the X-Forwarded-For set to the IP that is currently being tested. If the length of the response is greater than 0, we print the response. This finds the flag after a few seconds.

Flag

iPSpooFinGWiThHopHeaDers91918

https://cfta-wh01.allyourbases.co
script