"For anyone focused on identifying and reducing attack surface quickly, Randori should be on your shortlist."

Let’s be transparent about this. (Derpcon CTF Challenge 2)

Evan Anderson

The second challenge I made for the https://derpcon.io CTF (read about the first challenge here) was a medium difficulty challenge starting at https://derp.randori.com. The idea was to utilize some modern reconnaissance techniques and hide in plain sight, similar to system configurations I have seen in the past.

As before let’s take a look at the source and see if there are any hints. Right click -> View Page Source

View Source

Looking at the HTML we see comments that lead me to believe there is some other environment at play. The comment tells me a developer has made sure something has to be removed before being released to prod. This makes me think there must be some sort of staging or development environment.

Comments are our friends

Certificate Transparency Logs

Certificate Transparency Logs were created to help domain owners, CAs, and domain users aware of what certificates were being issued to help them discover erroneous or maliciously issued certificates. We can utilize these logs to see what host names have been, or are in use for particular domains.

There are many places these logs are stored, for this example we will use https://crt.sh
A query on crt.sh for %.randori.com will reveal the last certificate they registered was for https://derp-dev.randori.com and https://derp.randori.com. This fits with our guess that there must be a dev site somewhere.


Sadly that hostname does not resolve.

No Resolution

TLS Certificate

Another place we can look for information about a website is the TLS certificate. Certificates can often divulge information about systems.

Cert Info

Yummy Details

For my command line junkies where is a ugly one-liner


Seeing the DNS name in the certificate gives us a hint that this site might be doing double duty.

Often with virtual hosts, servers will respond differently depending on what host is set in the HTTP request. Let’s give it a try and see if anything changes.


Now let’s try with the host header set…

Our Flag

That does it. Hopefully the challenge was fun and folks got to learn something about TLS, Certificate logs, virtual hosts.

Thanks again to the hosts of derpcon.io for a wonderful virtual conference.

Originally posted on blog.syndrowm.com