Skip to content

Sybaris 🔸

Enumeration

Web server has a php blog

The blog is made with htmly and Pablo

ftp shows an exit pub folder

Using redis-cli we can connect, is open.

We can upload a a redis module to execute system commands, ulpoad it to the ftp server and load it with redis.

https://book.hacktricks.wiki/en/network-services-pentesting/6379-pentesting-redis.html#load-redis-module https://github.com/n0b0dyCN/RedisModules-ExecuteCommand#

load module from default public vftpd

execute reverse shell

Get the flag

Privilege Escalation

Searching passwords in the blog project we find pablo's

Better to connect via SSH

Transfer linpeas

Compile a shared object with a malicious code and put it in /usr/local/lib/dev and wait

Post Exploitation

get the flag