Knife

Hey, this is actually my 1st HTB box write-up as well as box. It is actually an easy marked box. After completing some easy boxes, I will move to those boxes which actually are relevant to writing pentesting reports. Actually, I was ready to make a pentesting report in this room, but this room is not up to the mark for writing standard pentest reports.

So, what are you waiting for?

As always, I started testing by scanning the ports with nmap and found out this.

1. Nmap:

Port: 22/tcp – ssh and 80/tcp – http is open

2. Went to the corresponding [ip] website, to see what we can find…

Found nothing…

Now I was going to run gobuster, but we can narrow down directory brute forcing by knowing exactly what specific extension the web server actually supports.

This can be done in two ways:

1. 

2.

So, now we can use this php extension in gobuster bruteforcing command

3. gobuster:

`$ gobuster dir -u http://10.10.10.242:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php`

It only gave one output file named: `index.php`

I got nothing juicy, except the supported extension of the web server.

4. Then I went to Burp Suite to capture request

Let’s send the captured request to the repeater.

Now sending the request to inspector, to check out the response

So, why are we capturing requests by Burp?

This is because burp acts as a proxy between client and server to capture request and response. Request and response is captured to see the internals of them.

I was sending request to the repeater tab present in Burp, so that I can reuse the request and manipulate it according to our needs. Now I sent the request to the inspector, so that we can get a response back just like what we should have gotten from the actual target web server. In this way, we can manipulate our request and test it accordingly.

Now, we can see a line named: X-Powered-By: PHP/8.1.0-dev in response.

I googled it and came up with this blog post: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/

So, we can probably set the User-Agentt header like this:

NOTE:

Nope, ‘Agentt’ spelling is not wrong, please check the spelling of ‘Agentt’ carefully in the above mentioned blog.

But what should we pass? Let’s see..

In the above link named PHP_version_8.1.0-dev, there is an image:

To abuse this vulnerability, we can see in this code image above , that we have to input: ‘zerodium’ along with ‘linux command’ to perform OS command injection

Let’s see:

We can see it worked 😎!! So now let’s use a bash reverse shell…

BTW, if you want to see the full theory behind it, visit:  https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/

and to see the exploitdb exploit code, visit: https://www.exploit-db.com/exploits/49933

But the main idea is already discussed earlier in this blog.

Here, in exploitdb exploit code:

This would do nothing but add another header to the requests named,`User-Agentt: zerodiumsystem(‘” + cmd + “‘);` which would help us to perform OS command injection

Oh!, one thing if you want to get a stable shell, you can login to this machine via ssh as ssh was running…

Firstly, you can copy the ssh key (id_rsa) from the .ssh directory and paste it in your local attacker machine within a file.

Secondly, modify the file permission, `chmod 600 <filename>`

Thirdly, `ssh -i <filename> james@<ip>` – to automatically login to the victim machine as james user.

If this requires any password, do this: `mv id_rsa.pub key authorized_keys` this makes the key authorized and usable. Now repeat all three steps.

So, now we get the user_flag

Now, for _priv_esc_, let us 1st check this:

“`

james@knife:~$ sudo -l

sudo -l

Matching Defaults entries for james on knife:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:

    (root) NOPASSWD: /usr/bin/knife

“`

We can now use, [GTFOBins](https://gtfobins.github.io/) to get _priv_esc_ command:

So, now we got the root flag…

This is it for now, if you have any queries, suggestions (tbh, I’m open to all type of comments), please contact me here:

– [linkedin](https://www.linkedin.com/in/soumyanil-biswas/)

– [twitter](https://twitter.com/reveng007)

Meet, all of you in the next blog (I will return with some hard boxes), until then, Bye 👋..!!!