2024-07-12
한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina
Kali: Build a docker container environment in Kali. Here I mainly use the first one;
Redis is a database that can write data into memory. We use ssrf requests to enable the server to write its own public key, thereby experimenting with password-free login.
Redis saves data in the form of key values. Here I use the centos environment built by docker;
Use the following command to enter the centos container;
docker exex -it 容器的编号 /bin/bash
Since centos already has a script to run redis-server, we only need to enable redis-cli in the container;
Test whether it can be written normally. As shown in the figure, the written content or directory can be modified
The file name can also be modified, so we can construct a public key and write it into the target server to achieve the purpose of password-free login;
After modification, save, as shown in the figure, the writing is successful!
If we are unable to connect to the server, we can run this script using ./start.sh;
Forge requests through the server, use the gopher protocol or dict to request redis, and write files
So we can make a request, paste the above content into the click Fetch
When Fetch is performed for the first time, it is found that the file does not exist. This is because its own public key is not generated in the centos environment, which makes it impossible to write. Therefore, it is necessary to use ssh-keygen in centos to generate a public key in advance.
It can be seen that the public key has been successfully written to the target server;
Then you can log in via ssh without a password, which shows that the login is successful!
There are some problems in the environment Dockerfile, which causes port 22 in the docker image to fail to start, so this file is modified and run /usr/sbin/sshd to start sshd
If we encounter the above situation where we cannot download, we just need to initialize the file, as shown in the following figure;
The steps for centos and ubuntu are almost the same, but due to the protection mechanism of redis, there will be the following error, which makes some properties unable to be modified. The solution is to turn off protected-mode and use the following command;
config set protected-mode no
Due to the limitation of redis version, the security of 7.2.5 is too high, which will cause ssh password-free login to fail, so I pulled it here
Version 5.0.5
Then use the same operation to log in without password.