Assignment 1 for webapps was mostly recon with a little sqli. For the sqli it was pretty much just throwing and or True style into the login to get the first flag, and then the second was the same but into the cookie, which is something not often though of.
As for the recon component, we pretty much just had to find as many subdomains as possible. I went through a few techniques, and a lot of brute forcing. I checked out shodan for a reverse ip lookup, dns dumpster for a few records, censys to look for subdomains that had certificates associated with them (along with the help of censys-subdomain-finder, which proved very useful, after sorting out false positives, from previous years I’m guessing), and checking out dns records through dig (among others) and caught a couple of flags in text records. On top of all that was brute forcing, I tried out a few tools and wordlist generation strategies, for finding sub.subdomains.
I think the bruteforcing went pretty well, and found about half of the flags that needed to be bruteforced, which means the only flaw in my strategy was not using more wordlists, which I can live with. Came out with an 80, so pretty good overall. I must say that assignment 2 has been much more interesting so far, so get keen for the writeup in a couple of weeks.
My Portfolio 