WH01 - 500pts
- 1.Since the website looks pretty empty we can try some directory busting:
gobuster dir -u https://cfta-wh01.allyourbases.co/ -t 200 --exclude-length 16 --extensions txt,html -w /usr/share/wordlists/dirb/common.txt. We use the commondirblist included with Kali and also check for files withtxtorhtmlextensions.gobusteroutput:[+] Url: https://cfta-wh01.allyourbases.co/[+] Method: GET[+] Threads: 200[+] Wordlist: /usr/share/wordlists/dirb/common.txt[+] Negative Status codes: 404[+] Exclude Length: 16[+] User Agent: gobuster/3.1.0[+] Extensions: txt,html[+] Timeout: 10s===============================================================2021/04/08 19:43:11 Starting gobuster in directory enumeration mode===============================================================/admin.html (Status: 304) [Size: 0]/index.html (Status: 200) [Size: 616]/index.html (Status: 200) [Size: 616]/readme.txt (Status: 200) [Size: 154]/soap (Status: 200) [Size: 0]===============================================================2021/04/08 19:43:23 Finished=============================================================== - 2.We find an interesting
/admin.htmlfile, which is empty, and/readme.txt./readme.txtsays the following:To use the CMS make sure to visit /admin.html from allowed IPs on the local network.Note: Tell engineering to stop moving the subnet from 192.168.0.0/24 - 3.So,
/admin.htmlonly works when a request comes from an IP on the local network. It's possible that the service is simply checking theX-Forwarded-ForHTTP header so let's try that. - 4.We can use a Python script to loop through every possible IP and make a get request with the
X-Forwarded-Forset to the IP that is currently being tested. If the length of the response is greater than 0, we print the response. This finds the flag after a few seconds.
iPSpooFinGWiThHopHeaDers91918Last modified 2yr ago