Tags: web pentest
# pentest (298pt)
This write-up was made per request of other players who were playing ASIS CTF.
Note: I solved this challenge before the hint was released. \o/
We got a suspicious [web service](http://ca12379f1163ff045b3ac80842d15bdb.gdn/) which does nothing at all. If you have time to test it, please help me to leak out all data from it. Thanks!
Hint: The server keeps your access log on submission.
By searching around for a bit, `contact.php` had a very suspicious content.
<h5>By clicking send button, you hereby agree that all your access information are allowed to be reviewed.<h4>
By analyzing the `contact.php`, there was a weird URL check in Referer header.
POST /contact.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
HTTP/1.1 200 OK
Date: Sun, 11 Sep 2016 15:22:57 GMT
Content-Type: text/html; charset=UTF-8
(... skipped some tags ..)
Then I changed the Referer to ```https://ctf.stypr.com/test.php``` and got an real IP address of the domain.
For further pentesting, I assumed that discovering real IP would be the best (cloudflare is a cdn service for websites, so it won't point out server's IP addresses.) way to work out, to inspect deeper parts of service.
220.127.116.11 (-) [11/Sep/2016:12:31:48 +0900] "GET /test.php HTTP/1.1" 200 505 "-" 0.005
From here, I used nmap to see if there are any vulnerable ports open.
$ nmap -sT 18.104.22.168 -p1024-10240
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 12:41 JST
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 46.79% done; ETC: 00:27 (0:00:33 remaining)
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 70.48% done; ETC: 00:27 (0:00:17 remaining)
Nmap scan report for ip-66-172-33-176.chunkhost.com (22.214.171.124)
Host is up (0.11s latency).
Not shown: 10157 closed ports
PORT STATE SERVICE
3702/tcp filtered unknown
6226/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 54.48 seconds
Then I connected to the 6226 port to check for available commands, and then realized that it was redis running behind.
$ nc 126.96.36.199 6226
-ERR unknown command 'HELP'
-NOAUTH Authentication required.
-ERR invalid password
There are a lot of redis brute force attacking tools available online, however, I made my own brute forcer since it's easy to make and tools like [enteletaor](https://github.com/cr0hn/enteletaor) didn't work out well.
I used the top [10000 password wordlist](https://github.com/cr0hn/enteletaor/blob/master/enteletaor_lib/resources/wordlist/10_million_password_list_top_10000.txt) and got the correct authentication with the password `crunch`.
Then I looked and googled for any possible redis vulnerability and found this good [resource](http://antirez.com/news/96).
Now the only left part to find is to look for the correct username.
Since that the website was made by `acid` (as seen in footer of the website), I assumed the username is `acid` and wrote an exploit for the challenge.
Please check [exploit.py](exploit.py) to view the sourcecode.
$ python exploit.py
Connection to 188.8.131.52 closed.