We were given a .onion URL and there is a “Flag” page on the website which contain the hint for this challenge.
So basically, we need to identify the real ip of the website to get the flag. There is a hint released which shed some light:
Information Gathering: where do we run our CTF infra.
From the hint above, we then identified all wargames.my subdomain IP address:
d2018.wargames.my 68.183.226.119
gooble.wargames.my 68.183.191.52
phpsbox.wargames.my 178.128.211.120
waf2.wargames.my 167.99.72.178
hackerman.wargames.my 68.183.229.27
The next step is to identify the available host within the subnet which listening to port 80. After going through all the hassle we lastly found one.
nmap -PN -p 80 --open 167.99.64.0/20 -oG - | awk '$NF~/http/{print $2}' >> DCSG.txt
and we get the list of hosts…[output snipped]
Write simple script to grep the info like title.
#!/bin/bash
date
cat DCSG.txt | while read output
do
curl http://$output --max-time 3 | egrep 'No DB CMS' >> DCSGresult.txt
echo $output >> DCSGresult.txt
done
and return our expected result.

Access the website using IP address and here is our flag.

Flag : wgmy{bawang_membawang_tok_pawang}
Lesson learned: use http-title instead. 🙂