Redis ReverseShell failure of the cron due to weird characters

[JoshuaMart]

Hi, Thank's for the tool, great job 👍

However, I have a problem with its use, when I generate a payload and run it, the cron looks like this:

It is therefore obviously not executed :/ Any ideas?

Regards, Jomar

[tarunkant]

Hello @JoshuaMart, Is redis-php-shell working for you?

[JoshuaMart]

Hi, Yes the redis-php-shell works though :)

I tried again this morning, the cron is well present but with all the strange characters in the file, it is never executed.

[JoshuaMart]

Hi, I was able to do a lot of tests, with different versions of docker, redis, ubuntu, debian ... in short

I don't explain why, but the payload only works on a CentOS system that can read the crontab even though it is not valid.

My crontab under Ubuntu/Debian which doesn't work :

My crontab under CentOS that works: (in spite of the presence of the message that it is not valid)

Moreover, during the generation of the payload one observes that the file which tries to be modified is var/spool/cron/root, this file does not exist on Ubuntu/Debian it is in /var/spool/cron/crontabs/root.

This problem is mainly due to the modification of the rights on the user's cron file, referring to this article (sent to me by a colleague) : https://www.programmersought.com/article/97106120063/

This method can only be used on Centos, but Ubuntu does not work for the following reasons: Because the default redis has the permission of 644 after writing the file, but ubuntu requires the execution of the timing task file /var/spool/cron/crontabs/ permission must be 600, which is -rw----- - will be executed, otherwise it will report an error (root) INSECURE MODE (mode 0600 expected), and the timed task file /var/spool/cron/permission 644 of Centos can also be executed Because redis saves RDB, there will be garbled characters, and an error will be reported on Ubuntu, but no error will be reported on Centos

An interesting point to note is that even after changing the permissions on the cron, it is not executed!

In short ... I suggest you to modify the tool a little bit to possibly specify that the Redis RCE only works on CentOS and if you're motivated, add the possibility to add its SSH key, which to still get a shell on a Ubuntu / Debian system without modifying the cron

[tarunkant]

Hello @JoshuaMart,

check this out: https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530

Thanks,