InfoSec LAB

Postman_Bash_History_redis

Created: 2 min read

Bash History

After performing some basic enumeration, I discovered that the .bash_history file of the redis account is populated

redis@postman:~$ cat .bash_history
exit
su Matt
pwd
nano scan.py
python scan.py
nano scan.py
clear
nano scan.py
clear
python scan.py
exit
exit
cat /etc/ssh/sshd_config 
su Matt
clear
cd /var/lib/redis
su Matt
exit
cat id_rsa.bak 
ls -la
exit
cat id_rsa.bak 
exit
ls -la
crontab -l
systemctl enable redis-server
redis-server
ifconfig
netstat -a
netstat -a
netstat -a
netstat -a
netstat -a > txt
exit
crontab -l
cd ~/
ls
nano 6379
exit

The command history tells some interesting facts;

  • presence of the scan.py file
  • switching to the Matt user
  • cronjob
  • the redis-server service

This rather appears to be a rabbit-hole, but it’s never a bad idea to double-check

scan.py

redis@Postman:~$ find / -name scan.py -ls -type f 2>/dev/null

Interestingly, there is no such file as scan.py

redis.service

redis@postman:~$ ll /etc/systemd/system/redis.service
0 lrwxrwxrwx 1 root root 40 Oct 25  2019 /etc/systemd/system/redis.service -> /lib/systemd/system/redis-server.service
 
redis@postman:~$ cat /etc/systemd/system/redis.service
[Unit]
Description=Advanced key-value store
After=network.target
documentation=http://redis.io/documentation, man:redis-server(1)
 
[Service]
Type=forking
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
ExecStop=/bin/kill -s TERM $MAINPID
PIDFile=/var/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755
 
UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
#ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/redis
ReadWriteDirectories=-/var/log/redis
ReadWriteDirectories=-/var/run/redis
 
NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 
# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/redis
 
[Install]
WantedBy=multi-user.target
Alias=redis.service

The redis.service service doesn’t seem to contain any credential

Interactive Graph View

Backlinks