Tags: web pentest 

Rating: 4.3

# pentest (298pt)

Solves: 1

This write-up was made per request of other players who were playing ASIS CTF.

Note: I solved this challenge before the hint was released. \o/

## Description

We got a suspicious [web service](http://ca12379f1163ff045b3ac80842d15bdb.gdn/) which does nothing at all. If you have time to test it, please help me to leak out all data from it. Thanks!

Hint: The server keeps your access log on submission.

## Solution

By searching around for a bit, `contact.php` had a very suspicious content.

```
<h5>By clicking send button, you hereby agree that all your access information are allowed to be reviewed.<h4>

```

By analyzing the `contact.php`, there was a weird URL check in Referer header.

```
POST /contact.php HTTP/1.1
Host: ca12379f1163ff045b3ac80842d15bdb.gdn
Connection: keep-alive
Content-Length: 109
Pragma: no-cache
Cache-Control: no-cache
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4,zh-CN;q=0.2,zh;q=0.2
Referer: file:///etc/passwd
Cookie: __cfduid=d22559f51eaf8ee0cd770a1564dc3f8f81473527951

fname=name&address=http%3A%2F%2Flocalhost&email=root%40localhost&phone=phone+number&message=message&send=send

HTTP/1.1 200 OK
Date: Sun, 11 Sep 2016 15:22:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: cloudflare-nginx
CF-RAY: 2e0c1e2bbfde3a54-ICN

3aa
(... skipped some tags ..)
<div id="body">Invalid
6
param.
0
```

Then I changed the Referer to ```https://ctf.stypr.com/test.php``` and got an real IP address of the domain.

For further pentesting, I assumed that discovering real IP would be the best (cloudflare is a cdn service for websites, so it won't point out server's IP addresses.) way to work out, to inspect deeper parts of service.

```
66.172.33.176 (-) [11/Sep/2016:12:31:48 +0900] "GET /test.php HTTP/1.1" 200 505 "-" 0.005
```

From here, I used nmap to see if there are any vulnerable ports open.

```
$ nmap -sT 66.172.33.176 -p1024-10240

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 12:41 JST
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 46.79% done; ETC: 00:27 (0:00:33 remaining)
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 70.48% done; ETC: 00:27 (0:00:17 remaining)
Nmap scan report for ip-66-172-33-176.chunkhost.com (66.172.33.176)
Host is up (0.11s latency).
Not shown: 10157 closed ports
PORT STATE SERVICE
3702/tcp filtered unknown
6226/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 54.48 seconds
```

Then I connected to the 6226 port to check for available commands, and then realized that it was redis running behind.

```
$ nc 66.172.33.176 6226
HELP
-ERR unknown command 'HELP'
INFO
-NOAUTH Authentication required.
AUTH stypr
-ERR invalid password
```

There are a lot of redis brute force attacking tools available online, however, I made my own brute forcer since it's easy to make and tools like [enteletaor](https://github.com/cr0hn/enteletaor) didn't work out well.

I used the top [10000 password wordlist](https://github.com/cr0hn/enteletaor/blob/master/enteletaor_lib/resources/wordlist/10_million_password_list_top_10000.txt) and got the correct authentication with the password `crunch`.

Then I looked and googled for any possible redis vulnerability and found this good [resource](http://antirez.com/news/96).

Now the only left part to find is to look for the correct username.

Since that the website was made by `acid` (as seen in footer of the website), I assumed the username is `acid` and wrote an exploit for the challenge.

Please check [exploit.py](exploit.py) to view the sourcecode.

```
$ python exploit.py
Password: crunch
OK
OK
OK
OK
OK
ASIS{55ab63e61cac968dd1da217dab2d86b8}
Connection to 66.172.33.176 closed.
```

## Flag

`ASIS{55ab63e61cac968dd1da217dab2d86b8}`