Readys Proving Grounds Write-Up
SUMMARY
This write-up covers the Readys machine from Offsec’s Proving Grounds, a Linux machine with a multi-step exploitation chain involving LFI, Redis, and a tar wildcard attack.
Port 80 hosted a WordPress site with a vulnerable Site Editor plugin (LFI). The LFI was used to read /etc/redis/redis.conf, leaking the Redis authentication password. Connecting via redis-cli with that password, a Lua sandbox escape was used to execute system commands and obtain a reverse shell as redis.
Since alice ran the Apache service, a PHP webshell was written to /run/redis/ (writable by redis) and accessed via the LFI parameter, delivering a shell as alice. Privilege escalation came from a root cronjob that backed up /var/www/html using tar *. Creating tar wildcard injection files in the web directory caused the cronjob to append alice to /etc/sudoers. Running sudo bash completed the machine.
PATH TO FOLLOW
- Reconnaissance & WordPress LFI Plugin Discovery
- LFI → Redis Config Password Read → Redis Authentication
- Lua Sandbox Escape → Shell as
redis - PHP Webshell to
/run/redis→ LFI Access → Shell asalice - Root Cronjob
tar *Wildcard Injection → Sudoers Write - Sudo Bash → Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.