E044-Service vulnerability exploitation and reinforcement-Using redis unauthorized access vulnerability to escalate privileges

Task implementation:

E044-Service vulnerability exploitation and reinforcement-Using redis unauthorized access vulnerability to escalate privileges

Task environment description:

Server scenario: p9_kali-6 (username: root; password: toor)

Server scenario operating system: Kali Linux 192.168.32.123

Server scenario: p9_linux-6 (username: root; password: 123456)

Server scenario operating system: Linux 192.168.32.147

————————————————– ————————————————– ————————–

Experimental Level:

intermediate

Task scenario:

【Task Scenario】

Panshi Company invited penetration testers to conduct penetration testing on the company’s intranet. Due to the negligence of the enterprise network administrator, in order to facilitate management, the redis server without authorized access was directly used as the backend data server. Xiao Wang informed the administrator of the situation. It also restores hacker attack scenarios and introduces some common attack methods and security knowledge.

Task analysis:

【Task Analysis】

Improper configuration of Redis can lead to unauthorized access and be maliciously exploited by attackers. A currently popular new attack method targeting unauthorized access to Redis. Under certain conditions, if Redis is running as root, a hacker can write an SSH public key file to the root account and directly log in to the victim server through SSH, which can cause server permissions to be compromised. Data is obtained, deleted, leaked or encrypted and blackmailed, seriously endangering normal business services.?

Preliminary knowledge:

【Preliminary knowledge】

Redis is an open source log-type, Key-Value database written in ANSI C language, supports network, and can be memory-based and persistent. Similar to Memcached, it supports relatively more stored value types, including string (string), list (linked list), set (set), zset (sorted set – ordered set) and hash (hash type). These data types support push/pop, add/remove, intersection, union, difference, and richer operations, and these operations are all atomic. On this basis, redis supports various ways of sorting. Like memcached, data is cached in memory to ensure efficiency. The difference is that redis will periodically write updated data to disk or write modification operations to additional record files, and on this basis, master-slave (master-slave) synchronization is achieved.

Redis on some servers is bound to 0.0.0.0:6379, and authentication is not turned on (this is the default configuration of Redis), and the port can be directly accessed through the public network. If no relevant policies are adopted, such as adding firewall rules to avoid other IP access from untrusted sources will cause the Redis service to be directly exposed to the public network, which may cause other users to directly access the Redis service and perform related operations without authorization.

Related knowledge about Redis

1. Redis data type:

Strings, lists, sets, sort sets, hash tables

2. Unique features of Redis compared with memcache:

(1) Redis can be used for storage (storage), while memcache is used for caching (cache). This feature is mainly due to its “persistence” function

(2) The stored data has a “structure”. For memcache, there is only one type of stored data – “string”, while redis can store strings, linked lists, sets, ordered sets, and hash structures.

3. Two methods of persistence:

Redis stores data in memory or is configured to use virtual memory.

Two ways to achieve data persistence:

(1) Use screenshots to continuously write data in the memory to the disk (high performance, but may cause a certain degree of data loss)

(2) Use a method similar to mysql to record the log of each update

4. Redis master-slave synchronization: very beneficial to improve reading performance

5. The default port of the Redis server is 6379

————————————————– ————————————————– ————————–

Network topology

————————————————– ————————————————– ————————–

Reproduction in actual combat

Before conducting the experiment, first use the command iptables -F in the target machine to clear all table links, then use the command service iptables save to save the modifications to the current firewall regulations, and then return to the penetration machine and use the command nmap -n -A -p 6379 –script redis-info 172.16.1.6 Use nmap to scan the server’s port information. The 6379 port used by Redis by default

Target drone operation:
iptables -F
service iptables save

Back to penetration machine
nmap -n -A -p 6379 --script redis-info 192.168.32.147

—————————————-

Come to the penetration machine

It can be found that the redis service is not enabled on the current server, so we enter the target machine to open the service.

—————————————-

Enter the target machine to edit /usr/local/redis/etc/redis.conf, edit line 69, change the bind address to 0.0.0.0, and modify protected-mode yes on line 88 to no, and finally modify 507 Add # in front of requirepass admin.

vi /usr/local/redis/etc/redis.conf

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Tips:
What should I do if there is too much code after entering the source code file? Don’t worry, the vim editor has its own search symbol.
After entering the vim editor, the default is reading mode. Press the i or o key to enter the editing mode.
In the reading mode, enter the "/" sign, followed by the string to be searched, and press Enter to search.
Look at the example below:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Then use the command /usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf to start the redis server

/usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf

—————————————-

—————————————-

Back to penetration, use the penetration machine nmap again to perform port scanning:

The IP of the drone here fluctuates a bit, but it’s not a big deal:

After Nmap scanning, it was found that port 6379 of the target machine is open to all. You can use local Redis to remotely connect to the target server to obtain Redis sensitive data (when redis is open to the external network (the default configuration is bind 127.0.0.1, only local is allowed) Access, if other network card addresses are configured, network access is available), the default configuration is an empty password, and the port is 6379).

When the experiment is over, shut down the virtual machine.