DEFCON 27 CTF Quals – CANT_EVEN_UNPLUG_IT. Writeup.

Tags: INTRO, RECON, WEB

Task: You know, we had this up and everything. Prepped nice HTML5, started deploying on a military-grade-secrets.dev subdomain, got the certificate, the whole shabang. Boss-man got moody and wanted another name,we set up the new names and all. Finally he got scared and unplugged the server.

Can you believe it? Unplugged. Like that can keep it secret…

Solution:

  1. When accessing the site we see this:

2. So we should check resource records:

$ dig military-grade-secrets.dev
...
;; QUESTION SECTION:
;military-grade-secrets.dev.    IN      A

;; AUTHORITY SECTION:
military-grade-secrets.dev. 573 IN      SOA     ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 8 21600 3600 259200 300

There is no Answer Section and domain has no A-record.

3. Then we can check domain history and 3rd-level subdomains. I used for this this service: https://securitytrails.com/domain/military-grade-secrets.dev/dns .There I found these subdomains:

In history of domain I didn’t found any A-records:

So we should focus on domains secret-storage.military-grade-secrets.dev and now.under.even-more-militarygrade.pw.military-grade-secrets.dev.

4. When we try to access these sites there’s redirection to https://forget-me-not.even-more-militarygrade.pw which not available:

5. Let’s find cache for this site. For this I used http://www.cachedpages.com/ .

Here I found snapshot created at April 27:

And here was the flag: OOO{DAMNATIO_MEMORIAE}: