2.4 KiB
HackTheBox-Knife
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT 80 (HTTP)
On the webserver we only get a static web page
I didn't find anything on the site, it's a php page so I tried default parameters but it didn't work too so I ran a nikto scan which is useful for identifying vulnerabilites on web server
Nikto
On running nikto , I came to know the version of php it's using which is PHP/8.1.0-dev
On march 2021 this version was implanted with a backdoor which is discovered and removed the github repo,attacker can execute arbitrary code by sending the User-Agentt header
https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
So let's test this by following what's in the github repo
This works, according to the finidngs ,the User-Agnett header needs zerodium and after that we can supply php commands so we could execute commands and get RCE
We can grab the id_rsa from james's home folder
But the ssh key doesn't work, so replace the public ssh key
Also add that public key to authorized_keys
Doing sudo -l we can see what we can run as sudo
Let's see the help menu for knife
If we scroll down a little we can that we can execute ruby scripts meaning we can run shell commands
So I added my public ssh key in /root/.ssh/authorized_keys/ . we could have gotten a reverse shell or made bash SUID
Getting a reverse shell
