dc2019q - cant_even_unplug_it intro recon web good_first_challenge

by hacopo

This was a jeopardy challenge, part of dc2019q. (CTFtime)

Points: 102
Was solved by: 390 teams
This challenge is solved offline, there's no server side component.

Description

You know, we had this up and everything. Prepped nice HTML5, started deploying on a military-grade-secrets.dev subdomain, got the certificate, the whole shabang. Boss-man got moody and wanted another name, we set up the new names and all. Finally he got scared and unplugged the server. Can you believe it? Unplugged. Like that can keep it secret...

This was an easy challenge released at the start to welcome players -- but it also highlights an important development in web security.

line_weight HINT

Hints

Hint 1

See the public file :)

Hint 2

There were many ways to solve the final step at the time, but some caches may have been evicted. However, there's a very reliable Internet time machine...

If you wish, you can contribute more.

Further (spoilery) pointers

How could this info be public?

You can find the site in many archives, but remember: the only way they could get the first domain names is via certificate transparency, which is available for free to everyone: manually, but also via Google's or Facebook's interfaces, and the excellent crt.sh

Why

Certificate transparency is important not only to keep CAs' power under check, it's also useful to detect abuses and, well, sometimes it provides recon in ways that were never possible before. There is interesting research on the topic, including on exploiting unsecured setup panels the moment they go up (Hanno Boeck's has a talk on the topic)

Source

Spoilers ahead! Code for this challenge is publicly available.