The second challenge I made for the https://derpcon.io CTF (read about the first challenge here) was a medium difficulty challenge starting at https://derp.randori.com. The idea was to utilize some modern reconnaissance techniques and hide in plain sight, similar to system configurations I have seen in the past.
As before let’s take a look at the source and see if there are any hints. Right click -> View Page Source
View Source |
Looking at the HTML we see comments that lead me to believe there is some other environment at play. The comment tells me a developer has made sure something has to be removed before being released to prod. This makes me think there must be some sort of staging or development environment.
Comments are our friends |
Certificate Transparency Logs
Certificate Transparency Logs were created to help domain owners, CAs, and domain users aware of what certificates were being issued to help them discover erroneous or maliciously issued certificates. We can utilize these logs to see what host names have been, or are in use for particular domains.
A query on crt.sh for %.randori.com will reveal the last certificate they registered was for https://derp-dev.randori.com and https://derp.randori.com. This fits with our guess that there must be a dev site somewhere.
crt.sh |
Sadly that hostname does not resolve.
No Resolution |
TLS Certificate
Another place we can look for information about a website is the TLS certificate. Certificates can often divulge information about systems.
Cert Info |
Yummy Details |
For my command line junkies where is a ugly one-liner
OpenSSL FTW |
Seeing the DNS name in the certificate gives us a hint that this site might be doing double duty.
Often with virtual hosts, servers will respond differently depending on what host is set in the HTTP request. Let’s give it a try and see if anything changes.
Nope |
Now let’s try with the host header set...
Our Flag |
That does it. Hopefully the challenge was fun and folks got to learn something about TLS, Certificate logs, virtual hosts.
Thanks again to the hosts of derpcon.io for a wonderful virtual conference.