tldr: The CTF was hosted at nahamsec.net, there were some credentials leaked in this repo which also disclosed the /swagger endpoint, using findomain I was able to get the subdomain api-admin.nahamsec.net which had a swagger instance running with a /api/getflag endpoint which accepted the username & password we found and gave us the flag.
Rules
Everything needed to complete the CTF was given in the blogpost
- No cheating or sharing answers
- Nahamsec.com / Nahamsec.dev or any of the boxes I have used during my streams are not used for this CTF.
- This is a recon CTF! Think recon and check out the tips or ideas I have shared while streaming for inspo.
- Please don’t ask for help or hint on Twitter. If I have anything to share, they’ll be posted directly on my Twitter so it’s fair and available for everyone.
- If you want to solve this to become a part of my mentorship program, send your submissions in with “[NMP]” in the beginning of the title. (i.e.: [NMP] Recon Submission)
Full Report
The image in the blog was being loaded from a different domain: nahamsec.net. I did a google search for site:nahamsec.net and noticed the title said Welcome To Nahamsec Giveaway CTF. After this I also did the same in GitHub, the search query was search?q="nahamsec.net" which took me to https://github.com/garagosy/nahamsecCTF2020 a repo that got uploaded recently with some interesting information ;) it's important to note this from the CTF announcement "Also, a big thank you to...Yasser Ali" who is the owner of the mentioned GitHub repo.
After having this information I looked for subdomains and found:
# used findomain to find the subdomains
api-admin.nahamsec.net
30kftw.nahamsec.net
api-dev.nahamsec.net
The one subdomain that stood out was api-admin but I wanted to look at all of them to cover the bases, from the GitHub repo above I knew there would be a swagger instance, which makes sense since Nahamsec has talked about how he likes seeing those, I tried the /swagger route on the 3 subdomains I found and the only one to give me a response back was api-admin.nahamsec.net so now I can see a swagger UI.
Cool now we have can see 2 routes: /api/getFlag & /api/tokens.
The /api/getFlag route looks like it's a post request, so I tried to do execute from within the swagger ui but it gives me a 500 error, so then I go straight to the route api-admin.nahamsec.net/api/getFlag and get an http username & password prompt - hmm let's try the credentials from the GitHub repo:
This is the response:
I stopped here and sent an email to the email included in the response.
After going back and trying to hit the token route I received the following JWT - I forgot to check this route after using the username/password.
# response from `/api/token`
{
"duration": 600,
"token": "eyJhbGciOiJIUzI1NiIsImV4cCI6MTU3ODc3ODA4NiwiaWF0IjoxNTc4Nzc3NDg2fQ.eyJpZCI6Mn0.Bk1enMme_sQlEdWoMizDAFJwK8HEaVgubk9nVbz-Was"
}
Thoughts
I had a lot of fun, finding the smallest things that looked off, like the CTF image coming from nahamsec.net and then looking in GitHub for anything related to that domain (shout out to @jhaddix I watched his latest stream and he did some github dorking), the rest are usual steps that Nahamsec has done in his streams and presentations like subdomain enumeration and directory bruteforcing (once I found the GitHub repo I focused on swagger stuff). It was really cool seeing that everything I learned this past year can be used and applied. I hope everyone else had as much fun as I did!
Top comments (0)