Do not leave your Radarr instance public

I thought I would not have to make this post, but here we are. I had bought recently a very nice seedbox and found out that it has SSH access and custom addons (radarr, autodl-irssi, jackett and so on).

That was handy. I started poking around and checked /etc/passwd to see how many users there are. There were many. Another important thing I noticed was that addon (radarr) url was easily reconstructable. It was following this format: https://server/user/service.

This was the moment when I knew that ffuf would come in handy (I had found this in a CTF not too long ago). I started fuzzing through services. ffuf -w usernames.txt -u "https://madeuphost.com/FUZZ/radarr" -fs 381.

I found couple radarr instances. This was interesting. Then came the most startling part. SOMEONE HAD NOT SECURED THEIR RADARR INSTANCE WITH PASSWORD. I checked immediately what movies the user had downloaded. Just two. Huh. Maybe this was not that interesting after all.

I continued my exploration though and found their Deluge client. With some little inspect element trickeroo I got the password to their Deluge instance. Bang! I was in. I had access to the Deluge client. Now I could download torrents as them and be able to play with their Torrentleech passkey. As the icing on the cake they used the same password on their seedbox SSH account…

TL:DR; Do not let your web services sit on public without protection. Do not reuse the same password.

PS. I think Radarr should improve here and not reveal the download client password in HTML