Redis Exploitation with SSH — H@cktivityCon 2021 CTF

Redlike [115 points — Miscellaneous — 187 Solves]

Author: @JohnHammond#6971

You know, I like the color red. Primary colors are the best colors — you can do so much with them!

Escalate your privileges and retrieve the flag out of root's home directory.

Connect with:

# Password is p@ssw0rd
ssh -p 32708

Checking /etc/passwd and look there, redis? hmmm..

i think the redis is exploitable, so im trying to exploit it via SSH

first, public and private key files are produced locally

Then write the public key to the banua.txt file

Connect Redis locally (coz on the same machine) to Write Files

Connect to redis again and configure the .ssh dir

wait, no such file or directory? hmm…

Ok, maybe we can configure .ssh dir on root

Greaattt! now configure the dbfilename, save it and exit redis-cli

Login to root@localhost via SSH

Awesome, we got the root! the flag on root’s home directory

flag : flag{69dc14707af23b728ebd1363715ec890}



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Muhammad Ichwan

Muhammad Ichwan


IT Security Enthusiast | CTF Player with warlock_rootx and [MEPhI] Kernel Escape