How I cracked Secarmy’s OSCP Challenge

Check out How I Passed OSCP with 100 points in 12 hours without Metasploit in my first attempt

Hey everyone, This is Adithyan AK from India and I hope you’re doing good. In this article, I'm going to explain about <read the title again>

I'm an avid follower of Secarmy. I don't participate in giveaway’s as I and luck broke up a few years ago. But I do participate rarely in CTFs especially when the reward is an OSCP voucher.

On to the point, It was a pretty straight-forward CTF. I was given a web application and thank god it doesn't have any crypto, steg, etc. It was purely based on web attacks. But there was a catch. We have to solve it in 10 mins as only the first person to solve will get the voucher.

So, I visited the target URL https://hackadmin.ml

The target site is built with Python and Django Framework. Like everyone, it’s time to flood the server with gobuster.

As soon I saw the flag endpoint, I visited it and got nothing, just an API endpoint. So I visited other endpoints such as login and report. The report endpoint was not accessible at that time.

So I moved on to the login endpoint and tried inspecting the cookies.

At first, it seemed like a JWT token. Then, I examined the page source.

Looking at John, it struck me with two possibilities. One is, it might be referring to John for Bruteforce or the other might be the username for the login page. I tried both lol and to my surprise, both worked. First, I tried decoding the cookies by brute-forcing it with Flask-Unsign as the source also mentioned “Stop eating all the cookies”.

flask-unsign -u -c "eyJ1c2VybmFtZSI6IkFub255bW91c19Vc2VyIn0.X2h0pQ.BH7pliC3PH_YFeLJDEc2i_Uc7I4" --wordlist /home/kali/Desktop/rockyou.txt --no-literal-eval --threads 8

Flask-unsign gave me the secret key rogger555. Now using the same secret key, I re-encoded the message with {‘username’: ‘John’}

flask-unsign --sign --cookie "{'username': 'John'}" --secret 'rogger555' --legacy

Copied the cookie and pasted it on the login page. It redirected me to the report page which was inaccessible earlier.

Hmm, so it asks for a URL as input. So SSRF struck my find at first as a wise man once said,

I didn't have time to set up Burp collaborator, I ran ngrok ASAP.

I gave the https URL in the input box of the report endpoint and looked for the incoming request in the Ngrok dashboard.

Taking a look at the cookie received revealed it was different from what I sent. So, I copied this cookie and pasted it into the report endpoint.

Still, it didn't show me anything. I was stuck here for about a minute and I visited other endpoints and refreshed them. Then finally…

And that’s how I was able to win the OSCP challenge with 90 days of lab access. I thank the Secarmy, Offensive Security, the organizers, and everyone who supported me.

Hacker by Passion and Information Security Researcher by Profession