Bypassing Cloudflare - Attack-Secure Challenge Writeup!
Few days back we setup a small and interesting challenge for RHA readers, the main goal of the challenge was to find the hosting provider and the real iP address of the attack-secure.com. Since attack-secure.com is running cloudflare which acts as a reverse proxy the nameservers and the target iP address would be replaced with the one of cloudflare when ever you try to communicate with the servers. So let's talk about some of the ways we can solve this challenge, we are disclosing some of the ways that could be used to solve this challenge.
Bypassing Cloudflare - Method 1
The first method involves the using a website that maintain records of websites using cloudflare, it contains list of around 381,314 domains that have recently shifted to cloudflare and they are actively testing it. The website is called as cloudflare-watch.org. The guys are cloudflare watch believe that cloudflare was started for a purpose of helping bad guys such as hackers, ddosers, copyright pirates. Here is what they write on their homepage:
"CloudFlare is a venture-funded startup that routes around Internet abuse by acting as a reverse proxy. They also encourage illegality by allowing hackers, DDoSers, cyberbullies, and copyright pirates to hide behind their servers."
All you need to go to the url below and type your domain name and click on search:
A direct iP connect was found inside the database, if you compare this IP address with the ip address that we get while we ping the website, it's different.
Bypassing Cloudflare Method 2
The second method is one of the best methods specially to figure out the real ip of forums who are using cloudflare. The idea behind this method to register on a forum or any where that allows registrations, since cloudflare does not handles mx records it is possible for us to find out the real iP by email headers. One of our winners have sent us a video on how he utilized this method to solve the challenge:
We received hundred's of submission and most of the people were sending the cloudflare iP instead of the real one. We would like to congratulate the following people for solving our challenge:
1) Haider Qureshi (Solved first) (Utilized the second method)
2) Aamir Rehman (Utilized the second method)
There are ofcourse other methods such as resolving real iP by subdomains and by using mx records, We might talk about them in upcoming articles.