NCS Competition 2021 Writeup
  • HHousen National Cyber Scholarship Competition 2021 Writeup
  • Forensics
    • FE02 - 100pts
    • FE03 - 100pts
    • FH01 - 500pts
    • FE04 - 100pts
    • FM01 - 250pts
    • FM02 - 250pts
    • FM03 - 250pts
    • FE01 - 100pts
  • Crypto
    • CM01 - 250pts
    • CM02 - 250pts
    • CX01 - 1000pts
    • CH01 - 500pts
    • CH02 - 500pts
  • Binary
    • BM01 - 250pts
    • BM02 - 250pts
    • BM03 - 250pts
    • BX01 - 1000pts
    • BX02 - 100pts
    • BE01 - 100pts
    • BE02 - 100pts
    • BH01 - 500pts
  • Networking
    • NM01 - 250pts
    • NE01 - 100pts
  • Web
    • WX01 - 1000pts
    • WE01 - 100pts
    • WE02 - 100pts
    • WH01 - 500pts
    • WH02 - 500pts
    • WM01 - 250pts
    • WM02 - 250pts
    • WM03 - 250pts
    • WM04 - 250pts
    • WM05 - 250pts
  • Challenge Name
Powered by GitBook
On this page
  • Briefing
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Web

WH01 - 500pts

PreviousWE02 - 100ptsNextWH02 - 500pts

Last updated 4 years ago

Was this helpful?

Briefing

Access the site at and find a way to get the flag from the CMS.

Solution

  1. Since the website looks pretty empty we can try some directory busting: gobuster dir -u https://cfta-wh01.allyourbases.co/ -t 200 --exclude-length 16 --extensions txt,html -w /usr/share/wordlists/dirb/common.txt. We use the common dirb list included with Kali and also check for files with txt or html extensions.

    gobuster output:

     [+] Url:                     https://cfta-wh01.allyourbases.co/
 [+] Method:                  GET
 [+] Threads:                 200
 [+] Wordlist:                /usr/share/wordlists/dirb/common.txt
 [+] Negative Status codes:   404
 [+] Exclude Length:          16
 [+] User Agent:              gobuster/3.1.0
 [+] Extensions:              txt,html
 [+] Timeout:                 10s
 ===============================================================
 2021/04/08 19:43:11 Starting gobuster in directory enumeration mode
 ===============================================================
 /admin.html           (Status: 304) [Size: 0]
 /index.html           (Status: 200) [Size: 616]
 /index.html           (Status: 200) [Size: 616]
 /readme.txt           (Status: 200) [Size: 154]
 /soap                 (Status: 200) [Size: 0]  

 ===============================================================
 2021/04/08 19:43:23 Finished
 ===============================================================

  2. We find an interesting /admin.html file, which is empty, and /readme.txt. /readme.txt says the following:

     To use the CMS make sure to visit /admin.html from allowed IPs on the local network.

 Note: Tell engineering to stop moving the subnet from 192.168.0.0/24

  3. So, /admin.html only works when a request comes from an IP on the local network. It's possible that the service is simply checking the X-Forwarded-For HTTP header so let's try that.

  4. We can use a Python to loop through every possible IP and make a get request with the X-Forwarded-For set to the IP that is currently being tested. If the length of the response is greater than 0, we print the response. This finds the flag after a few seconds.

Flag

iPSpooFinGWiThHopHeaDers91918

https://cfta-wh01.allyourbases.co
script