Readys 🔸

Enumeration

Web site at 80 is a wordpress site

Using wpscan we find a local file inclusion in the plugin

So we have alice user

We can see redis config at /etc/redis/redis.conf

So we have alice user and the redis pass Ready4Redis?

We can log in in redis

Searching an rce exploit

https://github.com/jas502n/Redis-RCE

Make another reverse shell for using it more stable

Mysql config

admin:$P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0

Can't crack it

Transfer linpeas.sh

Using pspy64 we see it

We can exploit tar wildcard , but not withs this user, we need alice.

Find writable folder to put a php file and execute it like before with lfi and get a reverse shell.

Get flags