Once everything has booted up we can visit the ip_address in the browser to see if there is anything happening on port 80. Right away we're greeted with a view of a gate and card reader. Analysing the network tab we can see a few API calls, but there is nothing that jumps out nor is there anything useful in the page's source code. Remember always check for low hanging fruit first.

The challenge description specifically mentioned ports, so let's get the port scans started. I like to start off with this scan. In a CTF setting we know that the host is online so we can use -Pn to speed up scan.

Apart from the typical ports we'd expect like 22, 80 we can see a few ports that stand out. Lets investigate these ports a little closer with a service and version scan.

This will show us that there is another web-app running on port 8080 and a service called vast-control on port 1880. Both of these are promising.

On port 8080 we find an OpenPLC portal running, we see a login and a release number. The first logical step is to search for the default credentials, openplc:openplc in this case. No luck, I tried a few other obvious combinations but got nothing. Next I decided to check ExpoitDB to see if the release number was a hint for an obvious exploit. No low hanging fruit there either. Time for another dir scan, this time on port 8080.

On this port we find an interface for an application called Node-RED, some internet searches later we learn that Node-RED is a Low-code programming for event-driven applications useful for everyone From home hobbyists to large scale industrial operations. We also learn that Node-RED can easily be misconfigured. Not uncommon for applications that cater to "No-Code". Let's start another dir scan.

The gobuster scans finished while we were investigating all the interfaces. Lets go check their results.
Port 80
Returned a single result for /console. While this initially sounds promising, it does not lead to anything.
Port 8080
Returned quite a few results, however all but the login page returns a 302, temporary redirect, response.
Port 1880
This scan also returned quite a few results, I started testing results from the top to the bottom. Focussing on the 200 results. Many of these simply returned .json data meant to be used by the dashboard.

I'll have to admit that at this point I thought I had hit another dead end. I was chasing all kinds of rabbit holes. Attempting to copy node ids into , running the dir scan with another wordlist, and searching for potential exploits on Node-RED and OpenPLC.

This challenge was marked as an easy one, that made it unlikely that it would require some advanced exploit. It finally clicked when I looked at the gobuster results again and realized that a 301 redirect is not a 302 redirect. The 301 is a permanent redirect, I started trying checking these results as well. Suddenly I was shown a screen with two toggles that I could control. I turned them both off and..