tldr: The CTF was hosted at nahamsec.net
, there were some credentials leaked in this repo which also disclosed the /swagger
endpoint, using findomain I was able to get the subdomain api-admin.nahamsec.net
which had a swagger
instance running with a /api/getflag
endpoint which accepted the username & password we found and gave us the flag.
Rules
Everything needed to complete the CTF was given in the blogpost
- No cheating or sharing answers
- Nahamsec.com / Nahamsec.dev or any of the boxes I have used during my streams are not used for this CTF.
- This is a recon CTF! Think recon and check out the tips or ideas I have shared while streaming for inspo.
- Please don’t ask for help or hint on Twitter. If I have anything to share, they’ll be posted directly on my Twitter so it’s fair and available for everyone.
- If you want to solve this to become a part of my mentorship program, send your submissions in with “[NMP]” in the beginning of the title. (i.e.: [NMP] Recon Submission)
Full Report
The image in the blog was being loaded from a different domain: nahamsec.net
. I did a google search for site:nahamsec.net
and noticed the title said Welcome To Nahamsec Giveaway CTF
. After this I also did the same in GitHub
, the search query was search?q="nahamsec.net"
which took me to https://github.com/garagosy/nahamsecCTF2020
a repo that got uploaded recently with some interesting information ;) it's important to note this from the CTF announcement "Also, a big thank you to...Yasser Ali" who is the owner of the mentioned GitHub
repo.
After having this information I looked for subdomains and found:
# used findomain to find the subdomains
api-admin.nahamsec.net
30kftw.nahamsec.net
api-dev.nahamsec.net
The one subdomain that stood out was api-admin
but I wanted to look at all of them to cover the bases, from the GitHub
repo above I knew there would be a swagger
instance, which makes sense since Nahamsec has talked about how he likes seeing those, I tried the /swagger
route on the 3 subdomains I found and the only one to give me a response back was api-admin.nahamsec.net
so now I can see a swagger
UI.
Cool now we have can see 2 routes: /api/getFlag
& /api/tokens
.
The /api/getFlag
route looks like it's a post request, so I tried to do execute
from within the swagger ui
but it gives me a 500
error, so then I go straight to the route api-admin.nahamsec.net/api/getFlag
and get an http username & password
prompt - hmm let's try the credentials from the GitHub
repo:
This is the response:
I stopped here and sent an email to the email included in the response.
After going back and trying to hit the token route I received the following JWT
- I forgot to check this route after using the username/password.
# response from `/api/token`
{
"duration": 600,
"token": "eyJhbGciOiJIUzI1NiIsImV4cCI6MTU3ODc3ODA4NiwiaWF0IjoxNTc4Nzc3NDg2fQ.eyJpZCI6Mn0.Bk1enMme_sQlEdWoMizDAFJwK8HEaVgubk9nVbz-Was"
}
Thoughts
I had a lot of fun, finding the smallest things that looked off, like the CTF image coming from nahamsec.net
and then looking in GitHub
for anything related to that domain (shout out to @jhaddix I watched his latest stream and he did some github dorking), the rest are usual steps that Nahamsec has done in his streams and presentations like subdomain enumeration and directory bruteforcing (once I found the GitHub
repo I focused on swagger stuff). It was really cool seeing that everything I learned this past year can be used and applied. I hope everyone else had as much fun as I did!
Top comments (0)