Skip to main content
  1. Posts/

RCE on Unauthenticated Redis server

·3 mins
Table of Contents

image

In this brief walk-through , we will be hacking a vulnerable database server by showcasing the res room in Tryhackme.

Enumeration #

As always, spin up our machine instance and begin some enumeration. For speed and more accuracy, I perform a port scan using rustscan( an incredibly fast port scanning tool) and then do a default scripts and vuln scan using nmap as shown below

rustscan -a <IP>
nmap -sC -sV --scripts=vuln <IP> -p 80,6379

image

We get port 80 and 6379. Nmap does not gives us much info.

We have an exposed redis instance that we will look into and a web server running on port 80. Accessing this via browser we get a default apache page. Nothing interesing.

image

We can try bruteforcing for any important directories that may be worth looking into. Here I fired up dirsearch, another blazingly fast directory scanner. In other scenarios it’s good to also maximize accuracy by using additional tools like gobuster and dirbuster that may pick up interesting directories.

python3 dirsearch.py -u <IP> -e "*"

We don’t get anything interesting.

image

Exploitation #

6379 - Pentesting Redis

The article above came in handy in gaining RCE. I used redis-cli to interact with the instance. You can install redis-cli as shown below

sudo apt-get install redis-tools

We have unauthenticated access to the database instance.

image

According to the article, for us to achieve RCE on the server, we need to find the path to the web site folder. Remember our default apache page? Well that comes in handy here

image

The document root is highlighted /var/www/html. Now we change our directory to that folder and try uploading some files.

image

As a POC, we can try displaying phpinfo as shown above and accessing it on the browser.

image

Sweet :) This means we have remote code execution on this server. We can therefore proceed to getting a shell, escalating our privileges and gaining root access.

Remote Code Execution #

To gain RCE. Create another file and append the following code to be able to execute code on a parameter.

image

We get RCE :)

image

Nice. Now lets get a reverse shell. From payloadallthethings we can get our python revshell, modify it and set up a netcat listener

image

Grab your shell :)

image

Stabilize the shell by backgrounding it using ctrl+z and then stty raw -echo;fg to resume.

Navigate directories to get your user.txt flag.

Privilege escalation #

My approach for privesc before uploading linpeas or any enumerator is to first check for sudo rights the user has using sudo -l, then check for SUID bits set

image

xxd has suid bit set. And it owned by the root user. Head over to GTFObins and check through xxd.

Interesting, in this exploit, we can read sensitive info using the xxd binary like /etc/shadow file.

LFILE=file_to_read
xxd "$LFILE" | xxd -r

image

I read this file and grabbed the hash of the vianka user, since it was part of this challenge to get the user’s password

image

We can crack their password using john.

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

image

We get the password as beautiful1 We can do some horizontal privilege escalation to and execute commands as vianka.

image

Vianka has all sudo permission on the machine as shown by the command sudo -l

For the root flag

image

If you’ve made it this far, like , share and follow for more articles

Happy hacking :)