Hello guys! Welcome to another ay of me doing a Wiz x Cloud Security CTF. This CTF is mostly based on reconnaissance techniques and web application penetration testing which I personally like very much so let's start!
Firstly, we are greeted with a shell inbuilt with many DNS and network reconnaissance tools such as massdns, nslookup and nmap. It also web directory discovery tools and we are also provided wordlists to brute force subdomains and APIs. Quite interesting!
The description states that we have to start investigating the domain ackme-corp.net.
Firstly, I visited this website.
This was a single-page website and nothing interesting. There was an employee portal button but it gave access denied.
Then I decided to enumerate the subdomains of this domain and used subfinder for this.
We found a new domain named app.ackme-corp.net and I visited this subdomain.
This shows something called Interactsh server which detects out of-band interactions. Clicking on the anchor I was redirected to a GitHub repository of this tool and found nothing interesting.
As the description mentioned online presence, I thought of searching domain to find anything on google, reddit, GitHub. While going through GitHub, I found a subdomain.
Found a subdomain testing.internal.ackme-corp.net Also found a GitHub pages deployment for it and saw that the CNAME data had been changed a couple of times.
Visiting the websites and all the CNAMES, but none of them worked.
After this, I found the certificate details of this domain on crt.sh and found the below domains.
I tried to brute force the subdomain given above but still nothing worked. But I noticed someting. I saw that there was this weird set of subdomains involving terms such as vibe and coding. I thought of mix matching these domain names and enumerating them through subfinder. After trying and trying I finally got it.
The subdomain was coding.pprod.testing.internal.ackme-corp.net Visiting this we found an employee portal.
We needed credentials to get into this and we have none, so I saw below that it was powered by vibecodewebsitetoday.com
It is a website to build a website and looking at it I thought this might be the place to enumerate the directories. After enumerating, i got the docs directory which contains API documentation and we can even test them from here.
So first thing I did was trying to register a username and password. But it needed an appid which I found on the source page of the login page
After getting this, I registered and logged in and got a session token.
After getting these credentials, I got back to the the login page and tried to login but was unsuccessful because it told me to login through an internal website. On the API documentation page, I saw a page called openapi.json I opened this directory on our website and got a list of all working API endpoints.
One of the interesting which was also mentioned in the description was a chatbot. I guess we have to do prompt injection to get the flag. So I logged into the system by giving the credentials and gave the necessary paramenters required for the chat endpoint and used LLM to create a prompt to get the flag and got it!
This was indeed a very tricky CTF but I learnt new methods of reconnaissance. I had fun. Obviously got another certificate of completion.
This was it for today. Hope you had fun learning with me too! See you in another CTF challenge!