W-SSRF-INTERNALLateral Movement

SSRF → Internal Service Exploit

Reach Redis (FLUSHALL / config rewrite), Elasticsearch, Kibana, Consul, Memcached — often unauthenticated internally.

§ Where this technique fits

W-SSRF-INTERNAL is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

SSRF → reach internal Redis → write SSH key → RCE
Web app SSRF lets the attacker hit gopher://redis on the internal network. Inject CONFIG SET dir + dbfilename + SAVE to write an SSH authorized_keys onto the Redis host — log in as the Redis user.
step 2 / 6

§ What commonly comes next

01
Redis Unauth → RCE via CONFIG
DB-REDIS-RCE · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SSRF → reach internal Redis → write SSH key → RCE

§ What commonly comes next