Knife
https://app.hackthebox.com/machines/list/todo
Nmap
Port 80 being the only realistic path ahead we view the root page.
We find the page is largely unusable. Running nikto
against the target web server we see very little useful information.
Running feroxbuster
against that host we see no interesting found files or directories. However, we are running PHP as per /index.php.
Running the web server against ZAP we see HTTP headers return the web server running on PHP/8.1.0-dev
.
A quick Google search for this version of PHP
immediately shows exploit code for this version.
From here the first link for exploit-db.com shows us some exploit code and references for the exploit.
Exploit-DB: https://www.exploit-db.com/exploits/49933
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Description
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agent header. The following exploit uses the backdoor to provide a pseudo shell on the host.
Running the exploit and the address of the server when prompted gives us a shell as the user james.
Next we notice that in /home/james/.ssh we have id_rsa files available. We can create an authorized keys file and echo the contents of id_rsa.pub into the authorized keys file. This will give SSH access without having any knowledge of the user james' password.
Once in by SSH we check sudo -l
for sudo permissions.
We see we can run the knife binary as the user root without specifying a password. Looking at GTFOBins we see this can be used with sudo
to escalate privileges.
GTFOBins: https://gtfobins.github.io/gtfobins/knife/
Last updated