This was a CTF challenge hosted in INE's CTF Arena and started 07/01/2024 and ended on 07/15/2024. But i was able to knock it in 3 days !
Last updated
"This challenge requires a blend of cracking tokens, identifying parameters, vulnerability exploitation, and strategic thinking to navigate and compromise the web application successfully. Each stage is built upon the previous one, showcasing the importance of a methodical and thorough approach in web app security testing."
Going into this CTF i was a bit worried if i had what it takes to actually exploit the web application and get all of the flags. I have add a bit of experience when if comes to Web Application Exploitation through NCL and HTB. But this definitely seemed a bit more realistic. But like all CTF's, it was definitely a learning journey, and i definitely had fun along the way. If you are reading this i hope you are able to learn a thing or two just as i did. Here we go!
Some of the tools that were used:
gobuster
ffuf
BurpSuite
Wappalyzer
Foxy Proxy
Directory Brute Forcing/Fuzzing
Intercepting and Manipulating HTTP Requests Headers by using a Web Proxy
JWT Tokens
Command Injection
As soon as we connected to the lab we are prompted to:
Enumerate the provided web application, identify any vulnerabilities, and exploit them to obtain all the flags
As we go to the web app we are met with a "Clouds App" Landing page, i click around some links and forms but nothing looks as interesting
Wappalyzer gives us the following tech stack used:
Apache 2.4.52
JS Libraries(Jquery,Lightbox,OWL Carousel)
Templated by Webthemez
This does give us an idea of the technology used by the Web Server, but let's go ahead and enumerate any directories on the web app.
/admin
This directory definitely looks interesting, maybe there is some sort of admin panel or stored credentials?
Let's further enumerate the /admin endpoint for any potential files or additional directories using gobuster.
/admin/exec
command injection vulnerability possibly?
we are given the error message "no token found in the header",
/admin/.config
this can definitely store hard coded configuration files
It turns out there was
API_KEY=edd1c9f034335f136f87ad84b625c8f1
and this is the flag for the 1st question, nice!
Now, using this key piece of information
As of today, it is 07/03/2024, and the challenge has not ended yet. So if you are reading this before 07/15/2024, wait until the challenge has ended and come back for the writeup
