Tags: osint 

Rating: 3.0

# Phriedman Systems (250)

<blockquote>
We want access to the CEO's secure data. Log in to their website using the CEO's account. https://phriedmansystems.onrender.com/



Hints:


• This is primarily a Recon challenge.

• There is NO password cracking, brute force, or password guessing required.

• There is NO steganography of any sort required.

• The onrender.com website is just used for hosting. Attacking Render is not a part of the challenge; do not attack Render or attempt to break into the backend.

• You don't need to use anything on the Internet at all apart from phriedmansystems.onrender.com.

Author: nb
</blockquote>

# Solution

As you can see from the text of the task we shouldn't try to guess or hack something. We also can see that all valuable information exists only on this site. So, lets begin...


First, pay attention to the category of this challenge. It's FWN (Forensic, Web and Network). Based on it, we will use the following methods.

1. When i see task from Web category i always like to check out /robots.txt directory.

Excellent! We found login page.

User-agent: *
Allow: /
Disallow: /login.html

Let's check this page.



As we can see, first we need to find out the SEO's login.

2. Let's explore all pages.

The next hint we can find on the tabs "Employees" and "Careers". On both tabs, we can find the e-mail of employees.

On the "Employees": Rob Fiddson - Mechanical Engineer: rfiddson@phriedmansystems

On the "Careers": Stephanie Leaver - Director of HR: [email protected]

Based on this, we can see that the login is the first letter of the name + last name! Thus, the SEO login: csmith
Let's check it out. Correct!



3. It remains to find out the password.

Unfortunately, having carefully researched the entire site, I could not find information that would be useful... The only thing left is the phone number. Let's try to call!

IT'S WORKING! We got an answer!

The answering machine offers us a choice of menu options.

Having used all the menu options, we can notice that the first option allows us to get more detailed information about the company. It may be useful!

Under the fourth option we find technical support! Bingo! We can recover the password by login! Next, using the keyboard, we need to specify the login.


In the picture below, you can see an example of a keyboard:



Using the numbers, enter the login. And at the end we add "#" for input: 222 222 7777 6 444 8 44 #

In response, we receive a warning that we can restore this account only by correctly answering the question.

As an answer, we need to enter the favorite city of the CEO. We got this information in the first menu option. It's Albany.

Using the keyboard, enter the name of the city. If we see "two letters on one number", then we need to add "0". And at the end we add "#" for input: 2 555 22 0 2 66 999 #

Password reset! New password: monkey_alpaca_excellent_button_7435

Log in to the site and get the flag: DawgCTF{y0ur_c4ll_1s_v3ry_1mp0rt4nt_t0_u5}

Original writeup (https://github.com/L0stFaith/CTFs/blob/master/DawgCTF/FWN%20(Forensic%2C%20Web%2C%20Network)/Phriedman%20Systems.md).