How I cracked Secarmy’s OSCP Challenge

Adithyan AK
4 min readNov 1, 2020

--

Check out How I Passed OSCP with 100 points in 12 hours without Metasploit in my first attempt

Hey everyone, This is Adithyan AK from India and I hope you’re doing good. In this article, I'm going to explain about <read the title again>

I'm an avid follower of Secarmy. I don't participate in giveaway’s as I and luck broke up a few years ago. But I do participate rarely in CTFs especially when the reward is an OSCP voucher.

On to the point, It was a pretty straight-forward CTF. I was given a web application and thank god it doesn't have any crypto, steg, etc. It was purely based on web attacks. But there was a catch. We have to solve it in 10 mins as only the first person to solve will get the voucher.

So, I visited the target URL https://hackadmin.ml

The target site is built with Python and Django Framework. Like everyone, it’s time to flood the server with gobuster.

Haha Gobuster go brrrr….

As soon I saw the flag endpoint, I visited it and got nothing, just an API endpoint. So I visited other endpoints such as login and report. The report endpoint was not accessible at that time.

So I moved on to the login endpoint and tried inspecting the cookies.

Login endpoint’s biscuits

At first, it seemed like a JWT token. Then, I examined the page source.

Looking at John, it struck me with two possibilities. One is, it might be referring to John for Bruteforce or the other might be the username for the login page. I tried both lol and to my surprise, both worked. First, I tried decoding the cookies by brute-forcing it with Flask-Unsign as the source also mentioned “Stop eating all the cookies”.

flask-unsign -u -c "eyJ1c2VybmFtZSI6IkFub255bW91c19Vc2VyIn0.X2h0pQ.BH7pliC3PH_YFeLJDEc2i_Uc7I4" --wordlist /home/kali/Desktop/rockyou.txt --no-literal-eval --threads 8
Bruteforce completed in 1 min 43 seconds

Flask-unsign gave me the secret key rogger555. Now using the same secret key, I re-encoded the message with {‘username’: ‘John’}

flask-unsign --sign --cookie "{'username': 'John'}" --secret 'rogger555' --legacy
Flask-unsign’s resigned key output

Copied the cookie and pasted it on the login page. It redirected me to the report page which was inaccessible earlier.

Report endpoint after pasting John’s cookie

Hmm, so it asks for a URL as input. So SSRF struck my find at first as a wise man once said,

I didn't have time to set up Burp collaborator, I ran ngrok ASAP.

Ngrok HTTP listening on 4444

I gave the https URL in the input box of the report endpoint and looked for the incoming request in the Ngrok dashboard.

Ngrok request inspection dashboard

Taking a look at the cookie received revealed it was different from what I sent. So, I copied this cookie and pasted it into the report endpoint.

Report endpoint asking me to GTFO

Still, it didn't show me anything. I was stuck here for about a minute and I visited other endpoints and refreshed them. Then finally…

API Endpoint revealing the flag

And that’s how I was able to win the OSCP challenge with 90 days of lab access. I thank the Secarmy, Offensive Security, the organizers, and everyone who supported me.

Do it… Now!

--

--

Adithyan AK
Adithyan AK

Written by Adithyan AK

Hacker by Passion and Information Security Researcher by Profession

Responses (4)