Blackgate

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 4000 192.168.197.176
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 23:04 +08
Nmap scan report for 192.168.197.176
Host is up (0.17s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
6379/tcp open  redis

Only Redis. We can do a detailed scan for this port.

$ sudo nmap -p 6379 -sC -sV -O -T4 192.168.197.176                                 
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 23:05 +08
Nmap scan report for 192.168.197.176
Host is up (0.17s latency).

PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 4.0.14

Redis RCE

This version of Redis is vulnerable to the Redis Rogue Server exploit:

GitHub - n0b0dyCN/redis-rogue-server: Redis(<=5.0.5) RCEGitHub

Getting a reverse shell via a bash one-liner is trivial:

Privilege Escalation

Sudo Redis-Status

We had some sudo privileges as this user:

prudence@blackgate:/tmp$ sudo -l
Matching Defaults entries for prudence on blackgate:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User prudence may run the following commands on blackgate:
    (root) NOPASSWD: /usr/local/bin/redis-status

I did some basic enumeration of this binary, such as running strings:

prudence@blackgate:~$ strings /usr/local/bin/redis-status
/lib64/ld-linux-x86-64.so.2
gets
puts
printf
stderr
system
fwrite
strcmp
__libc_start_main
libc.so.6
GLIBC_2.2.5
__gmon_start__
H=X@@
[]A\A]A^A_
[*] Redis Uptime
Authorization Key: 
ClimbingParrotKickingDonkey321

There is a password within it. When we run the binary and supply the password, we get this 'terminal' thing:

This output looks a bit like less, so I tried to escape this limited shell with !sh and it worked.

Rooted!