OSCP Practice Lack of Authentication (Redis)

Summary

During initial enumeration of this machine, Redis was found to be running. Authentication was not required, and the service was running as root. This allows for an easy compromise of a system.

Recommendations

Redis has options for Username, or Username Password authentication. These options should be implemented.

The process should also not be ran as a high level user, and instead a low level Redis user can be used to run the process.

NMAP Results

Initially, port 6379 was not seen, because it is not in the top 1000 default NMAP ports. After the first top 1000 port scan completes, another full can is completed. This turned up the service running without authentication.

Testing for Authentication

With Redis we can log in with nc or redis-cli. With redis-cli we can quickly take a look at output of the INFO command. Results indicated that we didn’t need credentials to interact with the service.

Ways to exploit Redis for Initial Access

There are multiple attack paths on Redis. Initially, we identified the web root at /var/www/html, and placed a webshell in that location. This could have worked, but we could not execute PHP code. Also, an SSH public key can be written to the remote host. Unfortunately, in our case there wasn’t a user/.ssh location to place it.

Eventually, we decided to use the Metasploit exploit: “linux/redis/redis_replication_cmd_exec”. This provided a remote session as root, so no additional privilege escalation was required.