Technology Sharing

Use docker to build a vulnerable environment, use SSRF Redis to write the public keys of centos and ubuntu to achieve password-free login

2024-07-12

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

1. Experimental Environment

Kali: Build a docker container environment in Kali. Here I mainly use the first one;

Redis is a database that can write data into memory. We use ssrf requests to enable the server to write its own public key, thereby experimenting with password-free login.

2. Experimental process

Preliminary preparation and testing

Redis saves data in the form of key values. Here I use the centos environment built by docker;

Use the following command to enter the centos container;

docker exex -it 容器的编号 /bin/bash

Since centos already has a script to run redis-server, we only need to enable redis-cli in the container;

Test whether it can be written normally. As shown in the figure, the written content or directory can be modified

The file name can also be modified, so we can construct a public key and write it into the target server to achieve the purpose of password-free login;

After modification, save, as shown in the figure, the writing is successful!

Problems and solutions

If we are unable to connect to the server, we can run this script using ./start.sh;

SSRF brief introduction and experiment start

Forge requests through the server, use the gopher protocol or dict to request redis, and write files

gopher generate script

Generated payload

So we can make a request, paste the above content into the click Fetch

Problems encountered

When Fetch is performed for the first time, it is found that the file does not exist. This is because its own public key is not generated in the centos environment, which makes it impossible to write. Therefore, it is necessary to use ssh-keygen in centos to generate a public key in advance.

result

It can be seen that the public key has been successfully written to the target server;

Then you can log in via ssh without a password, which shows that the login is successful!

Problems encountered

There are some problems in the environment Dockerfile, which causes port 22 in the docker image to fail to start, so this file is modified and run /usr/sbin/sshd to start sshd

If we encounter the above situation where we cannot download, we just need to initialize the file, as shown in the following figure;

Conclusion

The steps for centos and ubuntu are almost the same, but due to the protection mechanism of redis, there will be the following error, which makes some properties unable to be modified. The solution is to turn off protected-mode and use the following command;

config set protected-mode no

Due to the limitation of redis version, the security of 7.2.5 is too high, which will cause ssh password-free login to fail, so I pulled it here

Version 5.0.5

Then use the same operation to log in without password.