Skip to content

Information Gathering CTF 1

Overview

A website is accessible at http://target.ine.local. Perform reconnaissance and capture the following flags.

    Flag 1: This tells search engines what to and what not to avoid.
    Flag 2: What website is running on the target, and what is its version?
    Flag 3: Directory browsing might reveal where files are stored.
    Flag 4: An overlooked backup file in the webroot can be problematic if it reveals sensitive configuration details.
    Flag 5: Certain files may reveal something interesting when mirrored.


In this lab, the flag will follow the format: FLAG1{MD5Hash} OR FL@G1{MD5Hash}. For example, FLAG1{0f4d0db3668dd58cabb9eb409657eaa8}. You need to submit only the MD5 hash string, excluding the braces. For instance: 0f4d0db3668dd58cabb9eb409657eaa8.

Writeup

Flag 1

This tells search engines what to and what not to avoid.

Login into the machine and let's check website's robots.txt

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php

FLAG1{2fe1210b42154cabbb70329cd921a089}
2fe1210b42154cabbb70329cd921a089

Flag 2

What website is running on the target, and what is its version?

┌──(root㉿INE)-[~]
└─# nmap target.ine.local -sC -sV -p80
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 16:13 IST
Nmap scan report for target.ine.local (192.110.177.3)
Host is up (0.000060s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: INE
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 6.5.3 - FL@G2{48a3a13441a245548346bf6f2277a00c}
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
MAC Address: 02:42:C0:6E:B1:03 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.90 seconds

48a3a13441a245548346bf6f2277a00c

Flag 3

Directory browsing might reveal where files are stored.

┌──(root㉿INE)-[~]
└─# dirsearch -u target.ine.local                                                                             
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                 
 (_||| _) (/_(_|| (_| )                                                                                          

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/_target.ine.local/_25-03-27_16-15-48.txt

Target: http://target.ine.local/

[16:15:48] Starting:                                                                                             
[16:15:49] 403 -  281B  - /.ht_wsr.txt                                      
[16:15:49] 403 -  281B  - /.htaccess.bak1                                   
[16:15:49] 403 -  281B  - /.htaccess.sample
[16:15:49] 403 -  281B  - /.htaccess.orig
[16:15:49] 403 -  281B  - /.htaccess_extra                                  
[16:15:49] 403 -  281B  - /.htaccess.save
[16:15:49] 403 -  281B  - /.htaccess_orig
[16:15:49] 403 -  281B  - /.htaccessOLD                                     
[16:15:49] 403 -  281B  - /.htaccess_sc                                     
[16:15:49] 403 -  281B  - /.htm
[16:15:49] 403 -  281B  - /.htaccessOLD2
[16:15:49] 403 -  281B  - /.html
[16:15:49] 403 -  281B  - /.htpasswds                                       
[16:15:49] 403 -  281B  - /.htpasswd_test
[16:15:49] 403 -  281B  - /.httr-oauth                                      
[16:15:50] 403 -  281B  - /.php                                             
[16:15:52] 403 -  281B  - /.htaccessBAK                                     
[16:16:13] 301 -    0B  - /index.php  ->  http://target.ine.local/          
[16:16:14] 404 -   56KB - /index.php/login/                                 
[16:16:27] 200 -  110B  - /robots.txt                                       
[16:16:28] 403 -  281B  - /server-status                                    
[16:16:28] 403 -  281B  - /server-status/                                   
[16:16:39] 301 -  323B  - /wp-admin  ->  http://target.ine.local/wp-admin/  
[16:16:39] 409 -    3KB - /wp-admin/setup-config.php                        
[16:16:39] 302 -    0B  - /wp-admin/  ->  http://target.ine.local/wp-login.php?redirect_to=http%3A%2F%2Ftarget.ine.local%2Fwp-admin%2F&reauth=1
[16:16:39] 400 -    1B  - /wp-admin/admin-ajax.php
[16:16:39] 200 -    3KB - /wp-config.bak                                    
[16:16:39] 200 -    0B  - /wp-config.php                                    
[16:16:39] 200 -  489B  - /wp-admin/install.php                             
[16:16:40] 301 -  325B  - /wp-content  ->  http://target.ine.local/wp-content/
[16:16:40] 200 -    0B  - /wp-content/
[16:16:40] 200 -   84B  - /wp-content/plugins/akismet/akismet.php           
[16:16:40] 500 -    0B  - /wp-content/plugins/hello.php                     
[16:16:40] 200 -  507B  - /wp-content/uploads/                              
[16:16:40] 301 -  326B  - /wp-includes  ->  http://target.ine.local/wp-includes/
[16:16:40] 200 -    0B  - /wp-includes/rss-functions.php                    
[16:16:40] 200 -    0B  - /wp-cron.php                                      
[16:16:40] 200 -    5KB - /wp-includes/
[16:16:40] 200 -    2KB - /wp-login.php                                     
[16:16:40] 302 -    0B  - /wp-signup.php  ->  http://target.ine.local/wp-login.php?action=register
[16:16:41] 405 -   42B  - /xmlrpc.php                                       

Task Completed

In http://target.ine.local/wp-content/uploads/flag.txt we can find the flag.

ac794b7570004429b378d2693aea7dcc

Flag 4

An overlooked backup file in the webroot can be problematic if it reveals sensitive configuration details.

Check /wp-config.bak

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the website, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/documentation/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'test' );

/** Database username */
define( 'DB_USER', 'test' );

/** Database password */
define( 'DB_PASSWORD', 'test' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         '}Mq^#|v{n0fQ6Vn[tr 6e4glzi:OVs/9(IQ .7f^dp3ym4,th-O$Qx.]|2+(t(sE');
define('SECURE_AUTH_KEY',  'S_LKQ#*}p*U}kdX[GNNVM2*0YISNQ&zrFl jEUNq5T}0Zg|,sO|yB68^|N*1nS-p');
define('LOGGED_IN_KEY',    '`tz-Uz9Ixka,5z0J BD0l/zfU|r2|;9BGL5l~A1RQtZMwh=JftaU$2)$FI%v};|E');
define('NONCE_KEY',        '|>ZN961k>aHWJ*R8#&x+rR>3g|<[:G 8B+rqPH WrWet1SC60+ LL/S+=[G-&g7)');
define('AUTH_SALT',        '+<2l=;osCL(L)zV[=uvr[}2^j-16(gFq18V<m|fP<R{7DV`^=O&bb3fxY+Jf|-;C');
define('SECURE_AUTH_SALT', 'HG&/Q/ceR-$;?jCL}<cL4@LKzDjv,M=K-gR<]iHiAqcHQO+rXcWn/jMt0#K,uWq%');
define('LOGGED_IN_SALT',   'REsFv+OsL*qd=yV<oPaAXeYj@f)A[/Wm5-?|_4d::(;dXcps`rgJf]t4B0Q3)RcH');
define('NONCE_SALT',       ' Q.:O=pFDTA-lNBe%kjJu(mp7$cQrF|IZ _hOWDA&Q18w6CL(<{+1$a-ZJ~<(!_;');


/** FLAG4{1e2a8202722548dc9d164a11f242f58b} */


/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/documentation/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */



/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
    define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
define('WP_HOME', 'http://X.X.X.X');

define('WP_SITEURL', 'http://X.X.X.X');

define('WP_HTTP_BLOCK_EXTERNAL', true);

1e2a8202722548dc9d164a11f242f58b

Flag 5

Certain files may reveal something interesting when mirrored.

┌──(root㉿INE)-[~]
└─# httrack --mirror target.ine.local                                                                          
WARNING! You are running this program as root!
It might be a good idea to run as a different user
Mirror launched on Thu, 27 Mar 2025 16:22:20 by HTTrack Website Copier/3.49-5 [XR&CO'2014]
mirroring target.ine.local with the wizard help..
* target.ine.local/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_normal_400.woff2 (146060 bytes) - * target.ine.local/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_italic_400.woff2 (105184 bytes) - * target.ine.local/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_normal_700.woff2 (132564 bytes) - * target.ine.local/wp-content/themes/twentytwentyfour/assets/fonts/inter/Inter-VariableFont_slnt,wght.woff2 (3266* target.ine.local/index.php/wp-json/oembed/1.0/embed?url=http%3A%2F%2Ftarget.ine.local%2Findex.php%2Fsample-page17/28: target.ine.local/wp-content/themes/twentytwentyfour/assets/images/building-exterior.webp (199724 bytes) - 18/28: target.ine.local/wp-content/themes/twentytwentyfour/assets/images/tourist-and-building.webp (66482 bytes) * target.ine.local/index.php/wp-json/oembed/1.0/embed?url=http%3A%2F%2Ftarget.ine.local%2Findex.php%2F2024%2F05%226/37: target.ine.local/index.php/wp-json/oembed/1.0/embed?url=http%3A%2F%2Ftarget.ine.local%2Findex.php%2Fsample* target.ine.local/wp-login.php?redirect_to=http%3A%2F%2Ftarget.ine.local%2Fwp-admin%2F%26reauth=1 (4118 bytes) -32/38: target.ine.local/index.php/wp-json/oembed/1.0/embed?url=http%3A%2F%2Ftarget.ine.local%2Findex.php%2F2024%237/38: target.ine.local/wp-login.php?redirect_to=http%3A%2F%2Ftarget.ine.local%2Fwp-admin%2F%26reauth=1 (4118 byt* target.ine.local/wp-admin/load-styles.php?c=0&dir=ltr&load%5Bchunk_0%5D=dashicons,buttons,forms,l10n,login&ver=* target.ine.local/wp-admin/load-scripts.php?c=0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,zxcvbn-async,wp-pol38/46: target.ine.local/wp-admin/load-styles.php?c=0&dir=ltr&load%5Bchunk_0%5D=dashicons,buttons,forms,l10n,login40/52: target.ine.local/wp-admin/load-scripts.php?c=0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,zxcvbn-async,wDone.: target.ine.local/wp-login.php (4105 bytes) - OK
Thanks for using HTTrack!
Find the FLAG using grep recursive. 
┌──(root㉿INE)-[~/target.ine.local]
└─# grep -r "FLAG5" .
./xmlrpc0db0.php:                       <api name="FLAG5{4b981c3377d44d4e924911d85755d452}" blogID="1" preferred="false" apiLink="http://target.ine.local/xmlrpc.php" />

4b981c3377d44d4e924911d85755d452