RCE on Unauthenticated Redis server

In this brief walk-through , we will be hacking a vulnerable database server by showcasing the res room in Tryhackme.

Enumeration

As always, spin up our machine instance and begin some enumeration. For speed and more accuracy, I perform a port scan using rustscan( an incredibly fast port scanning tool) and then do a default scripts and vuln scan using nmap as shown below

We get port 80 and 6379. Nmap does not gives us much info.

We have an exposed redis instance that we will look into and a web server running on port 80. Accessing this via browser we get a default apache page. Nothing interesing.

We can try bruteforcing for any important directories that may be worth looking into. Here I fired up dirsearch, another blazingly fast directory scanner. In other scenarios it’s good to also maximize accuracy by using additional tools like gobuster and dirbuster that may pick up interesting directories.

We don’t get anything interesting.

Exploitation

The article above came in handy in gaining RCE. I used redis-cli to interact with the instance. You can install redis-cli as shown below

We have unauthenticated access to the database instance.

According to the article, for us to achieve RCE on the server, we need to find the path to the web site folder. Remember our default apache page? Well that comes in handy here

The document root is highlighted /var/www/html. Now we change our directory to that folder and try uploading some files.

As a POC, we can try displaying phpinfo as shown above and accessing it on the browser.

Sweet :) This means we have remote code execution on this server. We can therefore proceed to getting a shell, escalating our privileges and gaining root access.

Remote Code Execution

To gain RCE. Create another file and append the following code to be able to execute code on a parameter.

We get RCE :)

Nice. Now lets get a reverse shell. From payloadallthethings we can get our python revshell, modify it and set up a netcat listener

Grab your shell :)

Stabilize the shell by backgrounding it using ctrl+z and then stty raw -echo;fg to resume.

Navigate directories to get your user.txt flag.

Privilege escalation

My approach for privesc before uploading linpeas or any enumerator is to first check for sudo rights the user has using sudo -l, then check for SUID bits set

xxd has suid bit set. And it owned by the root user. Head over to GTFObins and check through xxd.

Interesting, in this exploit, we can read sensitive info using the xxd binary like /etc/shadow file.

I read this file and grabbed the hash of the vianka user, since it was part of this challenge to get the user’s password

We can crack their password using john.

We get the password as beautiful1 We can do some horizontal privilege escalation to and execute commands as vianka.

Vianka has all sudo permission on the machine as shown by the command sudo -l

For the root flag

If you’ve made it this far, like , share and follow for more articles

Happy hacking :)

Just a hacker looking for fun