Tags: web
Rating:
# the hacker one
This challenge was one of the weirdest challenges, I have ever done
so let's begin:
we have the challenge url: https://umbc.h1ctf.com/
I started by a dirsearch
and found the following endpoints
from here I started to look at the endpoints
`/login`
`/register`
`/profile`
`/debug`
`/profile and /debug` caught my eye, so I started crafting a jwt token to see the contents
and after a lot of trial and error and pain it worked
`eyJhbGciOiJIUzI1NiJ9.eyJpZGVudGl0eSI6ImFkbWluIn0.VT1uf1w7wH4IZ7o2VddMipUJahZ44KtwUMkkOkqTFlc`
**at this point I thought that's it, that's the whole thing isn't it ?**
**and it turns out no that was nothing :(**
after sometime I got frustrated and needed some help so I talked to my teammate https://twitter.com/ianonhulk
and we kept on trying and trying for hours and nothing helped
so we just started from the beginning and backtracked our tracks :)
I was just taking a look again at /profile and I was like `hmmmmm is that a f***ing VHOST`
I added all the weird domains to my `/etc/hosts` and started playing around
and it didn't work like WTF, so I tried with the vhost from `/debug` and it worked :P
after this amazing discovery I started fuzzing the api
and I got some other endpoints
now only `/reports` caught my eye but it's forbiden **hmmmmmmmmmm**:
I also guessed `/reporters` because you know it makes sense, it's also forbiden :(
after examining the header we found out that we can bypass the protection with the api key from the /debug on the first domain, with some trial and error we found out that it's the `api-key` header
**so are we done yet ?**
**NO**
it turns out the api is useless nothing unique
we kept on banging our heads until I read the hints about different castles and docs ..etc
so this challenge is inspired by hackerone and stuff so the api docs should be like this https://api.hackerone.com/v1/api-docs/v1/swagger.json
after a couple of hours of pain and a lot of hard metal music we found out the right vhost and path
http://swagger.rbtrust.internal/swagger.json
I just started screaming because it was the only thing I wanted for hours
so from the docs we found out that there's a hidden param in the api for /debug
http://api.rbtrust.internal/debug?url_48902=file:///etc/passwd
we can see `/home/jobert` so the flag should be `/home/jobert/flag.txt`
**YES YES, STILL ARE WE F\*\*\*CKING DONE YET**
**NO, there's still alot of pain and sacrifice**
at this point there was still 30 minutes for the CTF and I need the flag
so the hints have something to do with `$CLOUD_SERVER` or whatever
from the /debug we can clearly see it's an aws, so we started playing around with aws stuff
the only useful thing we found was this http://api.rbtrust.internal/debug?url_48902=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
**STILL WHERE'S THE FLAG GUYS**
there was no flag or anything important so we got a good idea about s3 buckets
anddddd the keys for the s3 was wrong :(
15 mins left and still nothing WTF, my teammate was like `I need the f***ing flag`
so after reading some writeups and stuff we discovered that the aws keys are in `/home/jobert/.aws/credentials`
and it worked :P
**ARE WE DONE YET SRSLY GUYS**
still no, we had another thing, at that time we didn't know about the tool to bruteForce for the right bucket
so we had to guess, we had 6 mins left for the CTF my hands were shaking and I didn't know how to type.
and it was rbtrust-internal
**YES YES, but wait a minute how can I read the flag hmmmmmmmm?**
I didn't know what to do, so I had to break it whatever it costs
after some trial and error I got it
`aws s3 cp s3://rbtrust-internal/flag.txt ./1 `
and done it took us 10 hours to finish it
submitted 2 mins before the ctf ends :D
`flag{get_em_uPy4TWP1SQlcaukrU8GPe}`
only 2 solves :)
