2020-05-06

Let's be transparent about this. (Derpcon CTF Challenge 2)

The second challenge I made for the https://derpcon.io CTF (read about the first challenge here) was a medium difficulty challenge starting at https://derp.randori.com. The idea was to utilize some modern reconnaissance techniques and hide in plain sight, similar to system configurations I have seen in the past.



As before let’s take a look at the source and see if there are any hints. Right click -> View Page Source
View Source
Looking at the HTML we see comments that lead me to believe there is some other environment at play. The comment tells me a developer has made sure something has to be removed before being released to prod. This makes me think there must be some sort of staging or development environment.

Comments are our friends
Certificate Transparency Logs
Certificate Transparency Logs were created to help domain owners, CAs, and domain users aware of what certificates were being issued to help them discover erroneous or maliciously issued certificates. We can utilize these logs to see what host names have been, or are in use for particular domains.

There are many places these logs are stored, for this example we will use https://crt.sh
A query on crt.sh for %.randori.com will reveal the last certificate they registered was for https://derp-dev.randori.com and https://derp.randori.com. This fits with our guess that there must be a dev site somewhere. 
crt.sh
Sadly that hostname does not resolve.
No Resolution

TLS Certificate

Another place we can look for information about a website is the TLS certificate. Certificates can often divulge information about systems.
Cert Info
Yummy Details
For my command line junkies where is a ugly one-liner
OpenSSL FTW
Seeing the DNS name in the certificate gives us a hint that this site might be doing double duty. 

Often with virtual hosts, servers will respond differently depending on what host is set in the HTTP request.  Let’s give it a try and see if anything changes.
Nope
Now let’s try with the host header set...
Our Flag
That does it. Hopefully the challenge was fun and folks got to learn something about TLS, Certificate logs,  virtual hosts.

Thanks again to the hosts of derpcon.io for a wonderful virtual conference.

No comments: