The Hacker One writeup
the hacker one
This challenge was one of the weirdest challenges, I have ever done so let’s begin:
we have the challenge url: https://umbc.h1ctf.com/
I started by a dirsearch
and found the following endpoints
from here I started to look at the endpoints
/login
/register
/profile
/debug
/profile and /debug caught my eye, so I started crafting a jwt token to see the contents
and after a lot of trial and error and pain it worked
eyJhbGciOiJIUzI1NiJ9.eyJpZGVudGl0eSI6ImFkbWluIn0.VT1uf1w7wH4IZ7o2VddMipUJahZ44KtwUMkkOkqTFlc
at this point I thought that’s it, that’s the whole thing isn’t it ? and it turns out no that was nothing :(
after sometime I got frustrated and needed some help so I talked to my teammate https://twitter.com/ianonhulk and we kept on trying and trying for hours and nothing helped
so we just started from the beginning and backtracked our tracks :)
I was just taking a look again at /profile and I was like hmmmmm is that a f***ing VHOST
I added all the weird domains to my /etc/hosts and started playing around
and it didn’t work like WTF, so I tried with the vhost from /debug and it worked :P
after this amazing discovery I started fuzzing the api
and I got some other endpoints
now only /reports caught my eye but it’s forbiden hmmmmmmmmmm:
I also guessed /reporters because you know it makes sense, it’s also forbiden :(
after examining the header we found out that we can bypass the protection with the api key from the /debug on the first domain, with some trial and error we found out that it’s the api-key header
so are we done yet ? NO
it turns out the api is useless nothing unique
we kept on banging our heads until I read the hints about different castles and docs ..etc so this challenge is inspired by hackerone and stuff so the api docs should be like this https://api.hackerone.com/v1/api-docs/v1/swagger.json
after a couple of hours of pain and a lot of hard metal music we found out the right vhost and path http://swagger.rbtrust.internal/swagger.json I just started screaming because it was the only thing I wanted for hours
so from the docs we found out that there’s a hidden param in the api for /debug http://api.rbtrust.internal/debug?url_48902=file:///etc/passwd
we can see /home/jobert so the flag should be /home/jobert/flag.txt
YES YES, STILL ARE WE F***CKING DONE YET NO, there’s still alot of pain and sacrifice
at this point there was still 30 minutes for the CTF and I need the flag
so the hints have something to do with $CLOUD_SERVER or whatever
from the /debug we can clearly see it’s an aws, so we started playing around with aws stuff
the only useful thing we found was this http://api.rbtrust.internal/debug?url_48902=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
STILL WHERE’S THE FLAG GUYS
there was no flag or anything important so we got a good idea about s3 buckets anddddd the keys for the s3 was wrong :(
15 mins left and still nothing WTF, my teammate was like I need the f***ing flag
so after reading some writeups and stuff we discovered that the aws keys are in /home/jobert/.aws/credentials
and it worked :P
ARE WE DONE YET SRSLY GUYS
still no, we had another thing, at that time we didn’t know about the tool to bruteForce for the right bucket so we had to guess, we had 6 mins left for the CTF my hands were shaking and I didn’t know how to type.
and it was rbtrust-internal
YES YES, but wait a minute how can I read the flag hmmmmmmmm?
I didn’t know what to do, so I had to break it whatever it costs after some trial and error I got it
aws s3 cp s3://rbtrust-internal/flag.txt ./1
and done it took us 10 hours to finish it
flag{get_em_uPy4TWP1SQlcaukrU8GPe}
only 2 solves :)
