Sybaris 🔸

Enumeration

The web server has a PHP blog.

The blog is made with htmly and Pablo.

ftp shows an exit pub folder.

Using redis-cli, we can connect; it is open.

We can upload a Redis module to execute system commands. Upload it to the ftp server and load it with redis.

Load the module from the default public vftpd.

Execute a reverse shell.

Get the flag.

Searching for passwords in the blog project, we find Pablo's.

It is better to connect via ssh.

Transfer linpeas.

Compile a shared object with malicious code and put it in /usr/local/lib/dev and wait.

Get the flag.