Rating:

```
DESCRIPTION:
there are two subdomains for zone443.dev given: admin subdomain and common subdomain

via common subdomain you can get your client certificate and initialize your own subdomain
also there is a form on common subdomain via which you can trigger "admin" to lookup any link, provided it leads to any subdomain of zone443.dev
effectively you can trigger GET to your own subdomain

admin subdomain gives you a message that your client certificate is not authorized

TASK:
so the task becomes obvious:
trigger GET with admin client certificate to admin domain. the response should contain a flag. get it!

SOLUTION:

-get a legit and free https certificate for your subdomain
-set up https terminating server
-trigger admin GET via a form
-serve a js page which initializes GET request with some timeout and then again a GET with a serialized response from the first (with some timeout too). domain:port part must be the same to satisfy CORS
-shut down server, and set up proxying server to admin subdomain so the first GET with admin client cert effectively goes to admin server on a transport level (with still you subdomain in the address bar)
-shut down server and set up terminating server again, log second request with the flag

```