Et tu, Cipher?
Original Writeup on seall.dev
Checking out the win.secedu.site we are given a webserver with a simple message:
Nothing to see here citizen. Move along now.
We wouldn't want you to discover any kind of secret content
around these here parts.
________________
\ __ / __
\_____()_____/ / )
'============` / /
#---\ /---# / /
(# @\| |/@ #) / /
\ (_) / / /
|\ '---` /| / /
_______/ \\_____// \____/ o_|
/ \ / \ / / o_|
/ | o| / o_| \
/ | _____ | / / \ \
/ | |===| o| / /\ \ \
| | \@/ | / / \ \ \
| |___________o|__/----) \ \/
| ' || --) \ |
|___________________|| --) \ /
| o| '''' | \__/
| | |
The first thing I try is running a FUZZ with directory-list-2.3-medium.txt from SecLists.
$ ffuf -u "http://win.secedu.site/FUZZ" -w .../SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.0.2
...
announcements [Status: 301, Size: 160, Words: 9, Lines: 2]
Announcements [Status: 301, Size: 160, Words: 9, Lines: 2]
[Status: 200, Size: 1297, Words: 679, Lines: 38]
Just a 301 on announcementsβ¦
I try making a combined wordlist with a Python script:
with open('./SecLists/Discovery/Web-Content/common.txt', 'r') as f:
common_file_names = [line.strip() for line in f]
with open('./SecLists/Discovery/Web-Content/raft-large-extensions.txt', 'r') as f:
common_file_extensions = [line.strip() for line in f]
combined_file_names = []
for name in common_file_names:
for ext in common_file_extensions:
combined_file_names.append(f"{name}{ext}")
for file_name in combined_file_names:
print(file_name)
$ python3 script.py > wordlist-combined.txt
$ ffuf -u "http://win.secedu.site/FUZZ" -w wordlist-combined.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.0.2
...
.git.txt [Status: 200, Size: 90, Words: 15, Lines: 3]
.git.TXT [Status: 200, Size: 90, Words: 15, Lines: 3]
Index.htm [Status: 200, Size: 1297, Words: 679, Lines: 38]
Index.HTM [Status: 200, Size: 1297, Words: 679, Lines: 38]
A hit!
What! This isn't the flag?!
No fair!!111!11
But looks like you are on the right path...
Just seems to a nudge that were in the right directionβ¦ and index.htm is just the general start page we already hadβ¦
Thanks to my teammateβs idea, we go back to announcements and presume there might be more inside itβ¦
$ ffuf -u "http://win.secedu.site/announcements/FUZZ" -w .../SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.0.2
...
compressed [Status: 301, Size: 171, Words: 9, Lines: 2]
Alright, letβs go again!
$ ffuf -u "http://win.secedu.site/announcements/compressed/FUZZ" -w .../SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.0.2
...
<fuck all>
Or not..? My teammate tries with raft-large-files-lowercase.txt as there seems to be no case-sensitivity, and we get a hit!
$ ffuf -u "http://win.secedu.site/announcements/compressed/FUZZ" -w .../SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.0.2
...
readme.txt [Status: 200, Size: 193, Words: 37, Lines: 4]
Cool! http://win.secedu.site/announcements/compressed/readme.txt
Content discovery is the name of the game here.
If you guessed this file. Nice try, but not quite.
Brute force is part of the problem, but can you SHORTEN your guesses and find the flag?
Looking at SHORTEN, my brain fires some neurons and has a very good ideaβ¦
I immediately think of IIS shorthand vulnerabilities, and I decided to check Wappalyzer to confirm my suspicions.
Bang! I wonβt go into to too much detail over the functionality of the exploit (you can read more here) but it essentially allows enumeration of files in folders on a IIS webserver, it leaks the first 6 characters of the filename and first 3 of the extension.
I use shortscan to get the job done:
$ shortscan "http://win.secedu.site" 127 β΅
π Shortscan v0.9.0 Β· an IIS short filename enumeration tool by bitquark
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
URL: http://win.secedu.site/
Running: Microsoft-IIS/10.0
Vulnerable: Yes!
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
GIT~1.TXT GIT.TXT?
ANNOUN~1 ANNOUN? ANNOUNCEMENTS
WELLDO~1.TXT WELLDO?.TXT?
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
URL: http://win.secedu.site/ANNOUNCEMENTS/
Running: Microsoft-IIS/10.0
Vulnerable: Yes!
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
COMPRE~1 COMPRE? COMPRESSED
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
URL: http://win.secedu.site/ANNOUNCEMENTS/COMPRESSED/
Running: Microsoft-IIS/10.0
Vulnerable: Yes!
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
OTHERF~1.TXT OTHERF?.TXT?
VERYSE~1.TXT VERYSE?.TXT?
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Finished! Requests: 744; Retries: 0; Sent 153260 bytes; Received 308687 bytes
Ok! So some new entries:
WELLDO~1.TXTin the siteβs rootOTHERF~1.TXTandVERYSE~1.TXTin thecompressedfolder
I first decide to make a wordlist using words from the SecLists repo that start with those characters, for eg WELLDO. This excellent one-liner was crafted by an AI then improved upon by myself.
$ grep -iR '^welldo' ~/Documents/Hacking/SecLists/ | cut -d':' -f2- | sed 's|^ *||'|sort|uniq > welldo.txt
$ ffuf -u 'http://win.secedu.site/announcements/compressed/FUZZ.txt' -w welldo.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.0.2
...
:: Progress: [74/74]Β :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
Nothing! Alright letβs try OTHERF and VERYSE:
- No results for
VERYSE - 1 hit on
OTHERF
otherfiles.txt is a hit!
Are there other files here that don't show up?
Ok, clearly indicating at VERYSE, I have an idea!
What if we just bruteforced the remaining characters with crunch?
$ crunch 1 5 abcdefghijklmnopqrstuvwxyz -o wordlist.txt
$ ffuf -w wordlist.txt -u "http://win.secedu.site/announcements/compressed/veryseFUZZ.txt"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.0.2
...
crets [Status: 200, Size: 57, Words: 1, Lines: 1]
A hit!
verysecrets.txt gives us the flag.
Flag: flag{LookAtHowGoodContentDiscoveryIsAtFindingSecrets.lol}
Related Writeups
caas
Now presenting cowsay as a service https://caas.mars.picoctf.net/
Cookies
Who doesn't love cookies? Try to figure out the best one. http://mercury.picoctf.net:17781/
findme
Help us test the form by submiting the username as `test` and password as `test!` Hint: any redirections?