Tags: web 


# the hacker one

This challenge was one of the weirdest challenges, I have ever done
so let's begin:

we have the challenge url: https://umbc.h1ctf.com/
I started by a dirsearch
and found the following endpoints

from here I started to look at the endpoints





`/profile and /debug` caught my eye, so I started crafting a jwt token to see the contents
and after a lot of trial and error and pain it worked



**at this point I thought that's it, that's the whole thing isn't it ?**
**and it turns out no that was nothing :(**

after sometime I got frustrated and needed some help so I talked to my teammate https://twitter.com/ianonhulk
and we kept on trying and trying for hours and nothing helped

so we just started from the beginning and backtracked our tracks :)
I was just taking a look again at /profile and I was like `hmmmmm is that a f***ing VHOST`


I added all the weird domains to my `/etc/hosts` and started playing around
and it didn't work like WTF, so I tried with the vhost from `/debug` and it worked :P

after this amazing discovery I started fuzzing the api
and I got some other endpoints


now only `/reports` caught my eye but it's forbiden **hmmmmmmmmmm**:


I also guessed `/reporters` because you know it makes sense, it's also forbiden :(

after examining the header we found out that we can bypass the protection with the api key from the /debug on the first domain, with some trial and error we found out that it's the `api-key` header


**so are we done yet ?**

it turns out the api is useless nothing unique

we kept on banging our heads until I read the hints about different castles and docs ..etc
so this challenge is inspired by hackerone and stuff so the api docs should be like this https://api.hackerone.com/v1/api-docs/v1/swagger.json

after a couple of hours of pain and a lot of hard metal music we found out the right vhost and path
I just started screaming because it was the only thing I wanted for hours


so from the docs we found out that there's a hidden param in the api for /debug

we can see `/home/jobert` so the flag should be `/home/jobert/flag.txt`

**NO, there's still alot of pain and sacrifice**

at this point there was still 30 minutes for the CTF and I need the flag

so the hints have something to do with `$CLOUD_SERVER` or whatever
from the /debug we can clearly see it's an aws, so we started playing around with aws stuff
the only useful thing we found was this http://api.rbtrust.internal/debug?url_48902=



there was no flag or anything important so we got a good idea about s3 buckets
anddddd the keys for the s3 was wrong :(

15 mins left and still nothing WTF, my teammate was like `I need the f***ing flag`

so after reading some writeups and stuff we discovered that the aws keys are in `/home/jobert/.aws/credentials`
and it worked :P




still no, we had another thing, at that time we didn't know about the tool to bruteForce for the right bucket
so we had to guess, we had 6 mins left for the CTF my hands were shaking and I didn't know how to type.

and it was rbtrust-internal


**YES YES, but wait a minute how can I read the flag hmmmmmmmm?**

I didn't know what to do, so I had to break it whatever it costs
after some trial and error I got it

`aws s3 cp s3://rbtrust-internal/flag.txt ./1 `
and done it took us 10 hours to finish it

submitted 2 mins before the ctf ends :D



only 2 solves :)
![2 solves](https://github.com/pop-eax/DawgCTF/raw/master/Web/the%20hacker%20one/imgs/ww.png)

Original writeup (https://github.com/pop-eax/DawgCTF/blob/master/Web/the%20hacker%20one/README.md).