[9447 CTF 2015] [Recon 140 – Recon 1] Write Up

Description

Someone has attacked your site. Find their full name.

This task is split into two parts. This is a reward for getting half way.
log.zip

Resolution

The file contains an access log.
By browsing it we found an interesting line:

192.241.254.77 - - [15/Nov/2015:16:28:11 +0000] "GET /admin HTTP/1.1" 200 283 "-" "curl/7.35.0"

We opened the website http://192.241.254.77/ and we got a nice :

go away

OK… 🙁
We chose to look the reverse IP of the server, maybe the server is listening to another virtual host ?

192.241.254.77: www.williestoleyour.pw

Great! It worked 🙂
Seeking for a while what we can do, sending mails, etc. but nothing, we were stuck.

We tried to check if the website was cached in a previous state/version with WebArchive:
https://web.archive.org/web/20151115002534/http://www.williestoleyour.pw/

Yeah, it was the case !
The only thing which changed was the email on the website:

Current: info@williestoleyour.pw
Previous: info@dynamiclock.pw

Browsing to the new host www.dynamiclock.pw found we got the flag 🙂

Flag was : 9447{YouAreStalKey}.

Leave a Reply

Your email address will not be published. Required fields are marked *