search

BlackGate

hashtag
Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.199.176
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 14:42 +08
Nmap scan report for 192.168.199.176
Host is up (0.010s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 37:21:14:3e:23:e5:13:40:20:05:f9:79:e0:82:0b:09 (RSA)
|   256 b9:8d:bd:90:55:7c:84:cc:a0:7f:a8:b4:d3:55:06:a7 (ECDSA)
|_  256 07:07:29:7a:4c:7c:f2:b0:1f:3c:3f:2b:a1:56:9e:0a (ED25519)
6379/tcp open  redis   Redis key-value store 4.0.14
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.44 seconds

hashtag
Initial Access

hashtag
Port 6379

hashtag
CVE-2021-21425

After some searching online for exploits, we will encounter this exploit which allows us to do remote code execution.

LogoGitHub - CsEnox/CVE-2021-21425: GravCMS Unauthenticated Arbitrary YAML Write/Update leads to Code Execution (CVE-2021-21425)GitHubchevron-right

This exploit allows us to get a reverse shell to the server.

hashtag
Privilege Escalation

hashtag
Pwnkit

When we are running linpeas.sh, we are able to see that this server is most probably vulnerable to PwnKit.

LogoGitHub - ly4k/PwnKit: Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege EscalationGitHubchevron-right

So we will download the file to our local machine first, then upload to the target machine.

After making it executable, we should be able to get the root shell.

PreviousAstronautNextBoolean

Last updated