Offensive Security Proving Grounds Walk Through “Sybaris”

Initial Foothold:

Beginning the initial nmap enumeration.

Running default nmap scripts.

Anonymous login allowed on the ftp server. I cannot see the directory listing however. I quickly tried brute forcing some default ftp credentials and found matches.

There is nothing in the shared folder. Maybe we can use it to upload contents later on. Moving on to enumerating the web service on port 80.

Robots.txt contains many entries.

Nothing useful here.

Moving on to the Redis service. There is a Remote code execution exploit for Redis 5.x. We can either run that or do it manually. I’ll do it manually.

We can load modules into Redis. Refer: https://book.hacktricks.xyz/pentesting/6379-pentesting-redis. Clone this repository and build the module.so file which let’s us execute bash commands.

Once the execution is complete, upload the module.so file onto the ftp server.

Now use redis-client to import the module assuming the shared ftp folder is at the default location and it works.

We can use this to get a reverse shell.

Privilege Escalation:

Running linpeas on the target machine, we see it’s vulnerable to CVE-2021–4034.

Downloading the exploit from https://github.com/joeammond/CVE-2021-4034 and transferring it to the target machine and executing it.

And we have root access.