WH01 - 500pts
Last updated
Was this helpful?
Last updated
Was this helpful?
Access the site at and find a way to get the flag from the CMS.
Since the website looks pretty empty we can try some directory busting: gobuster dir -u https://cfta-wh01.allyourbases.co/ -t 200 --exclude-length 16 --extensions txt,html -w /usr/share/wordlists/dirb/common.txt
. We use the common dirb
list included with Kali and also check for files with txt
or html
extensions.
gobuster
output:
We find an interesting /admin.html
file, which is empty, and /readme.txt
. /readme.txt
says the following:
So, /admin.html
only works when a request comes from an IP on the local network. It's possible that the service is simply checking the X-Forwarded-For
HTTP header so let's try that.
We can use a Python to loop through every possible IP and make a get request with the X-Forwarded-For
set to the IP that is currently being tested. If the length of the response is greater than 0, we print the response. This finds the flag after a few seconds.
iPSpooFinGWiThHopHeaDers91918