Knife HTB Writeup — In Short
Scanning
Namp port scan
Nmap version detection
COMMAND :-
OUTPUT :-
Versions not seems to be vulnerable
Enumerate Port Port 80
On analyzing source code of this page we get nothing special .
Dirsearch :
Didn’t get anything useful /index.php/login again redirect us to the index page .
Gobuster :-
Didnt get any directory with the wordlist 2.3 medium
Whatweb :-
We get vrsion of apache which is not vulnerable and version of php
Let search for the version of the php 8.1.0-dev
We get one exploit
Copy the exploit and place it into python file and run it
Command sucessfully run on this
nc is available use rev shell to get connection
netcat rm shell works on it
Get shell of james user which is not a tty convert it into tty
get user flag
Now we have to root this machine use sudo -l to know sudo permissions available.
Knife is available on running this we get lots of command to ru but the most attracted command it exec whic means it may execute something .
Search on google for this .
We can run ruby file with this command , So it means we can run this ruby script with sudo privileges. let search for the ruby shell.
Download this and change the LHOST AND LPORT inside the script and placed this shell on the target using python server
Now grab the reverse shell at given port
Finally we get a root user.
