Spreading Out
Description
Spreading Out [Web]
ARIA is going out and touching files it shouldn't, can you track down where all it has gone?
https://uscybercombine-s4-spreading-out.chals.io/
Note: Fuzzing web directories is allowed.
Solution
Looking into source code there's no comments or anything useful
Part 1 found in robots.txt
β curl https://uscybercombine-s4-spreading-out.chals.io/robots.txt
1/5: SIVBGR{ARIA_1sSince fuzzing is explicitly allowed let's do that.
ββ$ feroxbuster -u https://uscybercombine-s4-spreading-out.chals.io -w /usr/share/seclists/Discovery/Web-Content/common.txt
by Ben "epi" Risher π€ ver: 2.10.3
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β https://uscybercombine-s4-spreading-out.chals.io
π Threads β 50
π Wordlist β /usr/share/seclists/Discovery/Web-Content/common.txt
π Status Codes β All Status Codes!
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.10.3
π Config File β /etc/feroxbuster/ferox-config.toml
π Extract Links β true
π HTTP methods β [GET]
π Recursion Depth β 4
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
404 GET 5l 31w 207c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 56l 222w 1956c https://uscybercombine-s4-spreading-out.chals.io/static/can.js
200 GET 28l 102w 989c https://uscybercombine-s4-spreading-out.chals.io/
200 GET 1l 2w 16c https://uscybercombine-s4-spreading-out.chals.io/readme
200 GET 1l 2w 19c https://uscybercombine-s4-spreading-out.chals.io/robots.txt
200 GET 1l 2w 15c https://uscybercombine-s4-spreading-out.chals.io/sitemap.xml
403 GET 1l 3w 22c https://uscybercombine-s4-spreading-out.chals.io/wwwlog
[####################] - 4m 4730/4730 0s found:6 errors:1301
[####################] - 4m 4728/4728 18/s https://uscybercombine-s4-spreading-out.chals.io/β curl https://uscybercombine-s4-spreading-out.chals.io/readme
3/5: _4lw4ys_4nd
β curl https://uscybercombine-s4-spreading-out.chals.io/sitemap.xml
4/5: _c4nnot_b3ββ$ declare -f goscan # Just a utility function, because Im lazy lol
goscan () {
local wordlist="${2:-1}"
if [[ wordlist -eq 1 ]]
then
wordlist='/usr/share/seclists/Discovery/Web-Content/common.txt'
elif [[ wordlist -eq 2 ]]
then
wordlist='/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt'
fi
local logfile=$(echo "$1" | sed 's#https\?://##')
gobuster dir -u $1 -w $wordlist -t 30 ${*:2} | tee -a "gobuster_scan_$logfile"
}
ββ$ goscan https://uscybercombine-s4-spreading-out.chals.io/wwwlog 1 -x log,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://uscybercombine-s4-spreading-out.chals.io/wwwlog
[+] Method: GET
[+] Threads: 30
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: log,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/development.log (Status: 200) [Size: 14]
β curl https://uscybercombine-s4-spreading-out.chals.io/wwwlog/development.log
5/5: _st0pp3d}After some hardcore enumeration I finally found it:
β curl https://uscybercombine-s4-spreading-out.chals.io/.env
2/5: _spreading_3v3rywh3r3Flag: SIVBGR{ARIA_1s_spreading_3v3rywh3r3_4lw4ys_4nd_c4nnot_b3_st0pp3d}
Last updated