Introduction to the challenge and capture the flags

Capture the flag events are particular fun events done to challenge people and get people to really think about the puzzle they’re presented with. They can be in many different types and variations from cryptography style puzzles to a vulnerable web application, but they all have one thing in common and that is finding a flag which can be a string text denoting that it’s the flag. The flag is of course thoroughly hidden and will require some work to find. The first thing we always want to do with capture the flags is pay attention to challenge details since they always contain pertinent information that will more likely come in handy later on in the challenge.

Here is the challenge prompt:

An engineer of acme.org launched a new server for a new admin panel at http://104.236.20.43/

He is completely confident that the server can’t be hacked. He added a tripwire that notifies him

when the flag file is read. He also noticed that the default Apache page is still there, but

according to him that’s intentional and doesn’t hurt anyone. Your goal? Read the flag!

Analysis of the web server

When we first take a look at the server by visiting the IP, we are presented with an apache default page being shown for 104.236.20.43. From this we know that it’s using Apache and we also might as well check for a flag file on any of the directories. Doing so, we then find 104.236.20.43/flag to see a fake flag, but this may be useful for later on as challenge creators doing similar things intentionally as a hint towards the participants.

We then go over to view acme.org and see if resolves to anything, which it doesn’t. Now if you don’t know anything about virtual hosts, they work by checking the value submitted in the Host header of a HTTP request, basically a way for a server to map a host name to the server. We have a host name already, remember acme.org?

Since we’re looking for an admin panel, we should first try sending a host header with admin.acme.org which will resolve to a blank page. An alternative method to make this easier, is modifying your /etc/hosts file and then adding 104.236.20.43 admin.acme.org. This way when we visit admin.acme.org it’ll resolve with the correct IP.

Probing for misconfigurations and fixing them

After we correctly set up the virtual host and we visit the domain name we now are presented with a blank page and we observe that we’re given a cookie named admin=no.