The Leaked List Writeup


Red Racks, a hacker group, has released a web application that helps in checking whether a website is hacked by them or not. Are you smart enough to hack the hackers?


The application gives two input forms, one for project name and one for URL.

leaked-list 1'

Anything given other than the exact payload will result in server error. If we inspect the elements we can see a string.

leaked-list 2

This gives a hint that the application is using redis and also the redis password is hard coded there.

The challenge is a plain SSRF so we need to craft the URL with redis commands using gopher protocol.

The payload is:

leaked-list 3

Manieendar Mohan
Security Engineer

Related Articles