Wombo is an intermediate Linux CTF challenge that features a Redis RCE exploit you will see in Offensive Security’s Proving Grounds Practice series of vulnerable machines.
Started the box off with a port scan and ignoring host enumeration.
Further enumerated on the open ports with the -sC and -sV options on NMAP.
Decided to start researching openssh and the current Debian version that is on the box.
Found a CVE for openssh, but decided to come back to this CVE later if the other ports don’t yield anything.
Found that the current nginx version has a CVE and decided to look further into this…
Found a GitHub repository with PoC code.
Downloaded the code and ran it, but the DNS server was unclear in this context since this is a hosted machine and I assumed the default gateway would be the same… but it was not the case… moving on!
Redis is open on port 6379 and researched how to further enumerate this service.
Netcat is so versatile and shows more information about this box (the NMAP scan already showed the Redis version, but this is still a great manual technique to know.).
Found a promising RCE for the vulnerable Redis service.
… but no dice…
This repository references another that makes use of this vulnerability.
Looks good… lets give it a go.
Copied the code and looked to see how the exploit is used.
Let’s go for the reverse shell option with a netcat listener open…
…and that didn’t work.
So let’s opt for the interactive option for this exploit?
gotroot?
Found the proof.txt in the ‘root/’ directory.