Ann's Blog!

Where I talk about everything
random


weCTF Writeup

#Write-ups

A writeup on the one challenge I solved for the weCTF.

Since we just finished finals this week, I thought it would be fun to try participating in a CTF. So I checked CTFtime, saw weCTF (a 12 hour long jeopardy style web-CTF), and asked some friends if they'd be interested. I was originally just planning on asking a few friends, but seeing that we are allowed teams of "infinite" members, I tried recruiting a few more friends to join our team XD. (We ended up using the UCR ctf team name pwnLANdir$)

One thing I thought was really strange at first, was how we were using slack as our main mode of communication instead of discord. It was really strange and didn't really make sense until 3 hours after the CTF started when 2 more challenges were released (one of them involved a slack bot).

During this CTF I only really solved one challenge but even that was solved with help from one of my teammates... and also he had found the flag at the very beginning so I contributed none once again :(

But anyhow, the solution. The problem was called Red Team and we were told that there was a hidden subdomain that we needed to find. We were allowed to use subdomain scanners and by using this site , I was able to find the subdomain docs as well as ns1. My teammate however used a different subdomain scanner and was able to find the subdomain that led directly to the flag. However, after asking the organizers about this a few hours later we found out that we were supposed to find the solution using the subdomain docs.

The subdomain docs led to an index page that included a docs and logs text file. The docs.txt file included the "company website" which was lookingglassv1.shoustinycompany.cf. The logs.txt file talked about how "Eddie started the process following RFC 5936" and a few other things that didn't make much sense to me. But it did mention "transfer NS records to our looking glass server" (161.35.126.226:53) and going there brings us to the same page as lookingglassv1.shoustinycompany.cf and that site gives us two options, to use the linux commands dig or ip.

I was stuck on this challenge for a really long time :( however, my teammate after looking at it again realized that we needed to use the nameserver and after a quick google search found the command that worked dig @ns1.shoustinycompany.cf lookingglassv1.shoustinycompany.cf axfr. With that command we were able to find all the subdomains including the really secret one.