I’m a couple weeks late on this but here’s a quick writeup of the OOO (DEFCON 2019 quals) recon and web challenge called “cant_even_unplug_it”. Here’s the prompt:
There’s also a hint, which is:
Hint: these are HTTPS sites. Who is publicly and transparently logging the info you need?
Just in case: all info is freely accessible, no subscriptions are necessary. The names cannot really be guessed.
If we check “military-grade-secrets.dev”, there’s nothing there.
Doing any kind of DNS lookup doesn’t really help us:
So now what?
To the rescue: Google’s HTTPS Transparency Report. Google’s Transparency Report goal is:
Sharing data that sheds light on how the policies and actions of governments and corporations affect privacy, security, and access to information.
That’s nice, but how does it help us solve this challenge?
The CTF challenge prompt said they “got the certificate” for the domain. If that’s true, then we should be able to find a record of it through the transparency report, as certificate authorities (CAs) will report it back to Google.
If we search for our “military-grade-secrets.dev” domain, and include subdomains:
We get back the following results:
There are some duplicate results, since Let’s Encrypt certs need to be renewed more often than certs from other CAs.
Two three subdomains
The two domains in question are:
If we visit either of these sites, we get redirected to yet another site: https://forget-me-not.even-more-militarygrade.pw/
Unfortunately for us, there’s nothing there. Bummer.
But, the original challenge text says the website got unplugged. Of course, thanks to the Wayback Machine, nothing is truly ever gone from the internet (well, sorta).
If we visit https://forget-me-not.even-more-militarygrade.pw/ through the Internet Archive, we see a cheeky template site:
And our flag!
P.S. While this was a fun challenge, the HTTPS Transparency Report turned out to be useful in real life too. I was able to recommend it to a friend and expedite an IT request.