From 5eadc9d62e65c83ffc4a0e7b1d1b9c83ec80ea45 Mon Sep 17 00:00:00 2001 From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Sat, 28 Aug 2021 21:16:19 +0500 Subject: [PATCH] Add files via upload --- HackTheBox/Knife.md | 81 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 HackTheBox/Knife.md diff --git a/HackTheBox/Knife.md b/HackTheBox/Knife.md new file mode 100644 index 0000000..5914ba0 --- /dev/null +++ b/HackTheBox/Knife.md @@ -0,0 +1,81 @@ +# HackTheBox-Knife + +## NMAP + +```bash +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) +80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) +|_http-server-header: Apache/2.4.41 (Ubuntu) +|_http-title: Emergent Medical Idea +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +``` + +## PORT 80 (HTTP) + +On the webserver we only get a static web page + + + +I didn't find anything on the site, it's a php page so I tried default parameters but it didn't work too so I ran a nikto scan which is useful for identifying vulnerabilites on web server + +## Nikto + +On running `nikto` , I came to know the version of php it's using which is `PHP/8.1.0-dev` + + + +On march 2021 this version was implanted with a backdoor which is discovered and removed the github repo,attacker can execute arbitrary code by sending the `User-Agentt` header + +https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md + +So let's test this by following what's in the github repo + + + + + +https://www.zdnet.com/article/official-php-git-server-targeted-in-attempt-to-bury-malware-in-code-base/ + +This works, according to the finidngs ,the `User-Agnett` header needs `zerodium` and after that we can supply php commands so we could execute commands and get RCE + + + +We can grab the id_rsa from `james`'s home folder + + + + + + + +But the ssh key doesn't work, so replace the public ssh key + + + +Also add that public key to `authorized_keys` + + + +Doing `sudo -l` we can see what we can run as sudo + + + +Let's see the help menu for `knife` + + + +If we scroll down a little we can that we can execute ruby scripts meaning we can run shell commands + + + + + +So I added my public ssh key in `/root/.ssh/authorized_keys/` . we could have gotten a reverse shell or made bash SUID + + + +Getting a reverse shell + + \ No newline at end of file