Follow Me
[Web]
Follow Me [100]
Let's start here. https://7aimehagbl.neverlanctf.com
Recon
curl -i https://7aimehagbl.neverlanctf.com/
HTTP/2 302
server: nginx
date: Sat, 08 Feb 2020 16:58:57 GMT
content-type: text/html; charset=UTF-8
location: http://zesnh7ir95.neverlanctf.com
strict-transport-security: max-age=31536000; includeSubDomains; preload
Redirecting you to zesnh7ir95.neverlanctf.com
Let curl follow all the redirects:
curl -iL https://7aimehagbl.neverlanctf.com/ --max-redirs 99999
At the same time log the requests with Wireshark. Let it go on for a while, then filter the results in Wireshark:
(ip.src == 159.65.75.153) && (data-text-lines)
All lines are 406 in length, which are the redirects, except the lines which contain the flag, those are 557 in length:
Line-based text data: text/html (8 lines)
<!doctype html>\n
<html>\n
\t<head><title>Wait.</title></head>\n
\t<body>\n
\t\t<h1>Welcome</h1>\n
\t\t<p>flag{d0nt_t3ll_m3_wh3r3_t0_g0}</p>\n
\t</body>\n
</html>\n
Flag
flag{d0nt_t3ll_m3_wh3r3_t0_g0}