If you’re playing a CTF, and you don’t find anything interesting, there’s a decent chance that the path is elsewhere, for example, on a subdomain (SB).
If it’s a very easy CTF, you will probably get some hints, like unusual HTML comments or even a direct link to that SB in the source code.
The scenario may involve a careless dev team that uses SBs like
Unfortunately, it is rarely that easy. You might be on your own without any hint, and it would be time-consuming to guess the SB.
In such case, there’s very little chance you can solve the CTF if you don’t know some tools and wordlists.
This is far from being an exhaustive list. There are many other approaches, including Python scripts and other utilities. I won’t mention them because I’m less comfortable with these tools, not because they’re not worth it.
I will refer “subdomain” as “SB” all along this post, for more convenience. Sorry for the potential impact on readability.
CTFs usually provide machines that are hosted on cloud platforms such as AWS and can be initiated on demand (e.g., containers).
Once the machine is ready, you get an IP you can use for basic enumeration (e.g., Nmap, Gobuster, Nikto). It’s cool, but not user-friendly.
You can point a domain of “your choice” to that IP in the
/etc/hosts file (attacker’s machine):
# /etc/hosts IP ctfdomain.platform
N.B.: some CTFs will explicitly ask you to add the domain name to your hosts before anything to ensure everything goes as planned.
The above Google dork could reveal SBs but, unfortunately, most CTFs do not work like that, as the IPs are private.
The hacking platform will likely invite you to use a VPN connection (e.g., OpenVPN config) to play the CTF.
Forget about online scanning tools.
What you need is to apply some DNS pentesting techniques. Here are a few tools and techniques that can be rewarding during CTFs.
dig command can be used for DNS pentesting. It’s pre-packaged in Kali Linux, but you can install it on other Linux distributions easily. For example, on a Debian-based distro like Ubuntu, type:
sudo apt install dnsutils -y
Then, you can use the following command to reveal any “hidden” CNAME:
dig axfr ctfdomain.platform @IP_MACHINE
axfr is short for an AXFR request, a protocol used during a DNS zone transfer. We exploit a DNS vulnerability that allows listing all hosts for a domain without authentication.
It’s not supposed to work, but in the context of a CTF, it will likely pass. If not, try this:
dig ANY ctfdomain.platform @IP_MACHINE
Metasploit is a phenomenal framework that provides various modules to speed up hacking.
You can use the following module to enumerate DNS:
msf > use auxiliary/gather/enum_dns msf > show options
show options command will display all options you can tweak using the
I like to use Seclists, “the security tester’s companion.” It’s a collection of wordlists you can use for various brute-force attacks.
One of them is particularly efficient for SB fuzzing or brute-force. The file is dns-Jhaddix.txt.
I’ve used it in several CTFs with high success rate.
wfuzz -c -H "Host: FUZZ.ctfdomain.platform" -u IP_MACHINE -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt
When you have found the SB, don’t forget to add it in your
# /etc/hosts IP subdomain.ctfdomain.platform ctfdomain.platform
After that, you will able to perform additional scans and, perhaps, navigate to the SB directly in the browser.
We saw a few resources that help enumerate SBs during CTFs. In my experience, it’s usually enough to get to the next step, but some authors like to make things harder.
In that case, try harder!