# WH01 - 500pts

## Briefing

> Access the site at <https://cfta-wh01.allyourbases.co> and find a way to get the flag from the CMS.

## Solution

1. Since the website looks pretty empty we can try some directory busting: `gobuster dir -u https://cfta-wh01.allyourbases.co/ -t 200 --exclude-length 16 --extensions txt,html -w /usr/share/wordlists/dirb/common.txt`. We use the common `dirb` list included with Kali and also check for files with `txt` or `html` extensions.

   `gobuster` output:

   ```
    [+] Url:                     https://cfta-wh01.allyourbases.co/
    [+] Method:                  GET
    [+] Threads:                 200
    [+] Wordlist:                /usr/share/wordlists/dirb/common.txt
    [+] Negative Status codes:   404
    [+] Exclude Length:          16
    [+] User Agent:              gobuster/3.1.0
    [+] Extensions:              txt,html
    [+] Timeout:                 10s
    ===============================================================
    2021/04/08 19:43:11 Starting gobuster in directory enumeration mode
    ===============================================================
    /admin.html           (Status: 304) [Size: 0]
    /index.html           (Status: 200) [Size: 616]
    /index.html           (Status: 200) [Size: 616]
    /readme.txt           (Status: 200) [Size: 154]
    /soap                 (Status: 200) [Size: 0]  

    ===============================================================
    2021/04/08 19:43:23 Finished
    ===============================================================
   ```
2. We find an interesting `/admin.html` file, which is empty, and `/readme.txt`. `/readme.txt` says the following:

   ```
    To use the CMS make sure to visit /admin.html from allowed IPs on the local network.

    Note: Tell engineering to stop moving the subnet from 192.168.0.0/24
   ```
3. So, `/admin.html` only works when a request comes from an IP on the local network. It's possible that the service is simply checking the `X-Forwarded-For` HTTP header so let's try that.
4. We can use a Python [script](https://github.com/HHousen/NCS-Competition/tree/e3a1ab990b675bd865fdddd9e5fa5cd7895b3b02/Web/WH01/script.py) to loop through every possible IP and make a get request with the `X-Forwarded-For` set to the IP that is currently being tested. If the length of the response is greater than 0, we print the response. This finds the flag after a few seconds.

### Flag

`iPSpooFinGWiThHopHeaDers91918`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ncs2021.haydenhousen.com/web/wh01.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.