Skip to content

Readys 🔸

Enumeration

Website at port 80 is a WordPress site.

Using wpscan, we find a local file inclusion in the plugin.

So we have alice user.

We can see the redis config at /etc/redis/redis.conf.

So we have alice user and the redis password Ready4Redis?.

We can log in to redis.

Initial Access

Searching for an RCE exploit:

https://github.com/jas502n/Redis-RCE

Privilege Escalation

Make another reverse shell for a more stable session.

mysql config:

admin:$P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0

Can't crack it.

Transfer linpeas.sh.

Using pspy64, we see it.

We can exploit the tar wildcard, but not with this user; we need alice.

Find a writable folder to put a PHP file and execute it like before with LFI and get a reverse shell.

Post Exploitation

Get the flags.