The first step was to check the where the picture was hosted with a simple right click -> view image:
This led to a new domain: nahamsec.net/Nahamsec_CTF_Giveaway.jpg
If a new domain is found, I like to begin subdomain discovery, with my go-to tool being amass:
amass -d nahamsec.net -brute -active -o nahamsec-subs.txt http://30kftw.nahamsec.net https://30kftw.nahamsec.net http://api-admin.nahamsec.net https://api-admin.nahamsec.net http://api-dev.nahamsec.net https://api-dev.nahamsec.net
API instantly drew my eye so I kicked off some file/directory brute forcing and started checking out the subdomains:
ffuf -u http://api-admin.nahamsec.net/FUZZ -w juicy.txt -ac -recursion -v ffuf -u http://api-dev.nahamsec.net/FUZZ -w juicy.txt -ac -recursion -v
I also noticed 30kftw.nahamsec.net had the message: Welcome to Admin Site, Admin area only allowed from our intranet!
Which made me note down a possible target for SSRF.
FFuF then came back with a hit:
[Status: 200, Size: 823, Words: 85, Lines: 2] api-admin.nahamsec.net/swagger.json
Discovering a swagger specification is an absolute gold mine to understanding the API and finding possible issues. Which revealed 2 paths:
post /api/getflag &
However, they returned a
500 INTERNAL SERVER ERROR. This led me to trying several things, adding
/v2/ to the paths, trying the endpoints on the
api-dev subdomain too, theorising the endpoints might exist in the development area too, however this didn’t return anything either. In my playing around I noticed a
/api/tokens would ask for credentials.
And swagger also gave 2 other clues: “Oh boy, everyone is talking about WW3 and you still hacking? even our developer was in rush that he left the credentials somewhere!" and “tags: “nahamsecCTF2020”"
This led me to think where credentials might be posted or left up by mistake… in Pastebin, Github, an unsecured storage like an S3 bucket etc.
I checked Pastebin with some Google dorks:
I checked S3 storage:
aws s3 ls s3://nahamsecCTF2020 An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist
and other variations, which also made me think of claiming these bucket names to throw some people off but thought that might be too mean :p
And finally some Github dorking:
user:nahamsec api &
However this returned nothing either. However remembering a recent report on Hackerone’s Hacktivity you can sometimes find Github secrets from developers actively working on a project for the organisation, not necessarily in the organisations own Github.
This led me to search for nahamsecCTF2020 in the whole of Github, which brought me to this repository: https://github.com/garagosy/nahamsecCTF2020 which in the
api.pycontained some credentials.
I then went back to use the credentials on the
GET /api/tokens endpoint found earlier which returned a JWT which led me to try several things:
POST /api/getflag with a several different
Tampering with the JWT, as it was currently set
id = 2, by attempting to bruteforce the secret as it was signed with HS256 - a potentially guessable secret.
However this didn’t lead to anything. I thought it could be a dead end, however I went back to the endpoints to try find where it might lead me to a clue to abuse the JWT with a
alg = none header value and no signature as I couldn’t sign it genuinely. In that process I ended up sending a
GET /api/getflag which asked me for credentials! I inputted the ones from earlier, which revealed the flag! :)