How I hacked hackers in Voorivex Hunt Event

Hey wonderful people. The story begins when I heard “Voorivex”, my hacker idol is gonna hold a hunt event. I got so excited, and I definitely wanted to hack on it.

The event was started, so I began looking around the subdomains to see how everything works.

But unfortunately there was an aggressive Cloudflare that didn’t let me do anything. Almost every request that I was sending was faced this page.

Bummer :|

So I decided to find at least one origin IP in order to bypass the Cloudflare and get rid of it.

First, I tried Securitytrails:

curl --request GET --url https://api.securitytrails.com/v1/history/notsafe.shop/dns/a --header 'apikey: MY-API-KEY' >> security-trails-IPs.txt

cat security-trails-IPs.txt | grep -oE "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | sort -u >> unique-ips.txt

But all the IPs belonged to Cloudflare :(

Then I tried ping,nslookup,dig on all subdomains but didn’t get any origin IP.

All of a sudden, I remembered the main domain is a Wordpress website, so I had one more thing to try …

xmlrpc.php

If xmlrpc.php is active, a harmless blind SSRF attack can be performed and the origin IP could be obtained.

So I sent the “pingback” request:

I received the target’s request in Burp Collaborator and finally got the Origin IP :)

I ran Nmap scan immediately:

nmap -p- -T4 {IP}

Honestly, before the Nmap scan, I just wanted to use the origin IP to bypass the Cloudflare but something way more interesting was waiting for Snoopy.

Result:

PORT      STATE SERVICE
53/tcp    open  domain
3031/tcp  open  eppc 
8089/tcp  open  unknown
23847/tcp open  unknown
27017/tcp open  mongod

That “mogod” caught my eyes. But I didn’t know anything about it, so I simply googled it out:

I followed “hacktricks” guide, and I got into the mongodb server

I’m in

I started looking into it and switching between DBs:

show dbs

I got so much information:

db.startup_log.find()

Switched to DB shop and I got all other hackers emails and tokens:

OAuth state_code:

All hackers image:

Watching the name of other hackers image is always fun (XSS,SQLi payloads, fuzzy stuff)

:)

At this point I was able to takeover any account. So I wrote and sent the report right away.

LeaderBoard and Bounty

The report was triaged as Critical/P1 along with the highest reputation.

Huge shout out to Voorivex and his wonderful team. Thanks for taking care of us.

Reach me at:

LinkedIn:

https://www.linkedin.com/in/ali-imani-2a896a266/

twitter:

https://twitter.com/snoopy101101