eJPT - 1.1 CTF Information Gathering

Question 1

This tells search engines what to and what not to avoid.

We have to use the robots.txt file on the website to find what the website owner wants search engines to crawl and what to avoid. Within the robots.txt file is our first flag.

Question 2

What website is running on the target, and what is its version?

To find the flag, we have to use Nmap to identify the server and its version. Look at the switches on the previous page to find which ones to use.

Question 3

Directory browsing might reveal where files are stored.

Use a tool called dirb to brute-force the directories. This will find all the directories that are on the website. We then have to search through manually to find the correct directory with the flag. A hint is that it's located in the wp-content/uploads directory.

Question 4

An overlooked backup file in the webroot can be problematic if it reveals sensitive configuration details.

We're going to use the same tool as the previous question, except this time we will need to use the -W and the -X option. This does require parameters which we need to fill with the most common backup file extensions. As an example:

dirb http://target.ine.local -w /usr/share/dirb/wordlists/big.txt -X .bak,.tar.gz,.zip,.sql,.bak.zip

We then have to utilise the curl command to read the file contents.

Question 5

Certain files may reveal something interesting when mirrored.

To mirror the website, use the terminal version of the tool HTTrack. Then navigate to the directory where it's copied and navigate to /target.html/target.ine.local to find the file containing the flag.

---

That’s it for this section. Next one up is the footprinting & scanning section.

— Hmad