Blackgate Proving Grounds Write-Up

SUMMARY

This write-up covers the Blackgate machine from Offsec’s Proving Grounds, a Linux machine where an exposed Redis instance without authentication led to remote code execution.

Port 6379 exposed a Redis instance accessible without credentials. Enumeration via redis-cli showed the slaveof directive was unset, enabling a rogue server attack. Using redis-rogue-server, a malicious slave was established and an interactive shell was obtained. This was then upgraded to a full reverse shell.

For privilege escalation, sudo -l revealed the current user could run the redis-status binary as root. The binary prompted for a password, but running strings against it exposed the hardcoded password in cleartext. Entering it escalated to a root shell.

---

PATH TO FOLLOW

1. Reconnaissance & Unauthenticated Redis Discovery on Port 6379
2. Rogue Server Attack via redis-rogue-server
3. Interactive Shell & Reverse Shell
4. Sudo Privilege Enumeration — redis-status Binary
5. Hardcoded Password Extraction via strings
6. Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.