Nahamsec CTF -Shall we play a game?

ok so I saw this last night, i've not done a CTF before, but i've watched some of NahamSec's stuff so although i'm just starting out, lets see how far I can get...

Firstly let's get the rules from: https://www.nahamsec.com/posts/shall-we-play-a-game

  • No cheating or sharing answers
  • Nahamsec.com / Nahamsec.dev or any of the boxes I have used during my streams are not used for this CTF.
  • This is a recon CTF! Think recon and check out the tips or ideas I have shared while streaming for inspo.
  • Please don’t ask for help or hint on Twitter. If I have anything to share, they’ll be posted directly on my Twitter so it’s fair and available for everyone.
  • If you want to solve this to become a part of my mentorship program, send your submissions in with “[NMP]” in the beginning of the title. (i.e.: [NMP] Recon Submission)

Methodology (First person trail of consciousness):

Browser: Firefox

Ok so let's take a look over the website page, survey the savana for any low hanging fruit, firefox wappalyzer plugin is showing me the web stack being used, nothing standing out but this is a recon CTF so i'll collect that information for later.

I can see there's some social and underlined links, hovering my cursor over them shows they're either pointing at the social page or the swag sites, moving on.

There's an image. Right Click > View Image. https://nahamsec.net/Nahamsec_CTF_Giveaway.jpg ok it's hosted on nahamsec.net, a different domain to .com and .dev, I haven't watched all of Nahamsec's stuff so I don't know for sure if it's in scope but lets pull on that string. Hitting https://nahamsec.net just shows the image.

I crack open Dev Tools, look over the html in the Inspector Tab and refresh the page in the Network Tab to see what files get loaded up. /, jpg and favicon.ico. Onwards.

Lets save the image file and look at it's meta data, created 02/01/2002 18:22 with Photoshop 21, 1920x1080, that dimension, ooosh! Exiting stuff but no cigar, onewards.

Let's see what crt.sh has to say, nahamsec's a massive crt.sh fanboy and wrote crtndstry.sh specifically for that:

cd /opt/
git clone https://github.com/nahamsec/crtndstry
cd crtndstry
./crtndstry nahamsec.net
[-] This script requires jq. Existing

ok what's jq? A quick search and a read and I find myself downloading it from here https://stedolan.github.io/jq/

cd Downloads
mv jq-linux64 /usr/bin/jq && chmod +x /usr/bin/jq

Back to /opt/crtndstry and running jq, I get "jq - commandline JSON processor [version 1.6]. Looks like i'm in business.

./crtndstry nahamsec.net
parse error: Invalid numeric literal al line1, column 15
[...] this line repeats a few times
parse error: Invalid numeric listeral at line 1, column 10
nahamsec.net
[+] Number of domains found: 1

lol

I appreciate it may have been easier to go here https://crt.sh/?q=nahamsec.net which tells me there's a wildcard cert but I learned what jq was so #win! The browser also confirms with the green padlock that there's a cloudflare sni cert.

Right, let's see what ports are open:

nmap -T4 -sS nahamsec.net
Other addresses for nahamsec.net (not scanned): 104.27.166.50
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
554/tcop open rtsp
7070/tcp open realserver
8080/tcp open  http-proxy
8443/tcp open  https-alt

https://nahamsec.net:8080 - Secure Connection Failed
http://nahamsec.net:8080 - Error 521 from Cloudflare Host Error
https://nahamsec.net:8443/ - Error 521 from Cloudflare Host Error
http://nahamsec.net:8443/ - 400 Bad Request from Clourdflare
http(s)://nahamsec.net:554 - Times Out
http(s)://nahamsec.net:7070 - Times Out

NB: Interestingly if you run nmap from windows it doesn't return 554 and 7070.

https://nahamsec.net/robots.txt returns blank
googling "site:nahamsec.net" returns https://nahamsec.net

Tried recon-ng using the interesting_files and hackertarget modules but learnt nothing new.

I'm not sure how to proceed from here...i'll keep probing and update later.

ok i'm back, firstly i've reached out to nahamsec on twitter and his contact page to see if the cloudflare 521 errors are part of the CTF or something is broken.

I also googled "nahamsec.net" and the top results are for https://subdomainfinder.c99.nl/. Searching that site for nahamsec.net also finds api-dev.nahamsec.net which also has IP 104.27.167.50.

I used mxtoolbox to checkout what information they return (https://mxtoolbox.com/SuperTool.aspx?action=a%3Anahamsec.net&run=toolpage) and it does validate that 104.27.167.50 is in cloudflare's range.

ok so i've had confirmation from Yasser Ali (@garagosy) that "Its working well" so clearly i'm pulling on the wrong string...

So i've started watching some additional youtube content for hints, starting with this: https://www.youtube.com/watch?v=YT5Zl2jW3wg

It's pointed me to censys.io and https://censys.io/certificates?q=nahamsec.net, which found this 30kftw.nahamsec.net which leads to "Welcome to Admin Site, Admin area only allowed from our intranet!", smack a https on that and you get to the giveaway image but this subdomain has a different IP: 167.99.107.11 and the https cert fails. Interesting! This IP is from DigitalOcean. And what's that 30kftw...30000 for the win, referencing the original CTF page "I had an idea — create a recon CTF one I hit 30k". I think i've found some more string to pull...

nmap -T4 -sS 30kftw.nahamsec.net
Starting Nmap 7.50 ( https://nmap.org ) at 2020-01-12 11:48 GMT Standard Time
Nmap scan report for 30kftw.nahamsec.net (167.99.107.11)
Host is up (0.20s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  filtered smtp
80/tcp  open     http
443/tcp open     https
nmap -T4 -sV -F 30kftw.nahamsec.net
Starting Nmap 7.50 ( https://nmap.org ) at 2020-01-12 12:44 GMT Standard Time
Nmap scan report for 30kftw.nahamsec.net (167.99.107.11)
Host is up (0.17s latency).
Not shown: 96 closed ports
PORT    STATE    SERVICE VERSION
22/tcp  open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp  filtered smtp
80/tcp  open     http    Apache httpd 2.4.29 ((Ubuntu))
443/tcp open     ssl/ssl Apache httpd (SSL-only mode)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

ok so I hit up twitter and did some further research to see if I could get some ideas on where to go next, I found that there are some cve's for the particular version of Apache but as this is a recon CTF I didn't think was the path. I did find this, this and this which were interesting and identified that the x-forward-to header can be exploited when receiving 403's. This tallies with the cryptic message of "Welcome to Admin Site, Admin area only allowed from our intranet!" so I crafted a request including the x-fordward-to header with the value of 127.0.0.1 using Zap's Open/Resend editor and I got the following:

Oh!, looks like we have moved our api services to api-admin.nahamsec.net.

Tunnel vision started to kick in until inspiration arrived and realised I hadn't checked out github and I remebered both Nahamsec and Tomnomnom mentioning this to be a great place to find thing of interest and i'd previously installed gitrob but before I executed that I just logged into github and searched for nahamsec and found https://github.com/garagosy/nahamsecCTF2020. Taking a look over api.py showed some creds but it wasn't clear what these creds should be passed to. A few too many minutes of scracthing my head, looking into Flask APIs, gunicorn and curl -u's, finally hit:

https://api-admin.nahamsec.net/api/getflag

I input the creds from the github repo and BOOM! My first CTF completed. It's only taken me the best part of 8 hours but what a rush, that feeling of frustration becoming joy when finding new string to pull leading to more frustation and ultimately completion is addictive. More!!! I don't really have any context on how this CTF compares to others but it's been a great ride...time for a beer.