Machine information#
| Name | Ready |
|---|---|
| OS | Linux |
| Author | d4t4s3c |
| Difficulty | Easy |
| Site | vulnyx |
Enumeration#
Checking the web pages:
Both are apache default pages, lets enumerate with gobuster just to be sure, while the scans run , lets check what redis is:
Apparently, we are dealing with a database, let’s check how we can login with the command redis-cli:
Lets try to login without a username:
We are logged in! Lets search for the common commands for redis:
Before that, we run a nmap enumeration command to see what more info we can find(it seems, there’s no databases in this server…):
We found nothing of interest in the webpages
I find this excerpt in the hacktricks page:
And in redis, I find the following directories:
Let’s try doing those steps using the directory /root/.ssh
We export the key to the redis server and follow the steps above:
Initial acess and privilege escalation#
We try to log into the ssh session:
And we have root! We install unzip in this machine to extract the content of the zip:
It has a password… Lets crack it.
We set up a simple http server the target machine with the following command python3 -m http.server -b <TARGET-MACHINE-IP> <PORT>
We download the file in our machine with wget <TARGET-MACHINE-IP>:<PORT>/root.zip
Now we use zip2john to print the hash of zip into a file and then crack it:
We extract the contents of the file:
We find the root flag, now me move on to the user flag:
With this, we have pwned the machine.
What I learned from this machine#
- Privesc with redis