6379 - Pentesting redis
Redis can execute Lua scripts (in a sandbox, more on that later) via the “EVAL” command. The sandbox allows the dofile() command (WHY???). It can be used to enumerate files and directories. No specific privilege is needed by Redis… If the Lua script is syntaxically invalid or attempts to set global variables, the error messages will leak some content of the target file.
access file on server
obtaining the NTLMv2 Hash / User’s password
Now that we know that we can access files on the server, we can try to do some more advanced stuff. We could try to access a remote share. This would leak the NTLM hash of the user as he/she tries to authenticate himself/herself. If this remote share is on our machine, we could attempt to log the access and thus get access to the hash.
For that, we first set up a listener using Impacket's Responder.py.
Then, we use the redis eval technique to access the exposed share.
Crack NTLMv2 hash
4.X / 5.X