Nmap Scan: nmap -sC -sV -p- -oN knife.txt 10.10.10.242
So We have only 2 basic ports open 22- for SSH, 80 for any web application.
Let’s analyze port 80 further.
We can observe that PHP 8.1.0-dev is supported which is vulnerable to RCE as we already know from past experience, however as the basic of CTF every details need to be checked for any exploits, so we do a google search.
And from the first link we can understand there’s RCE.
From here we can download the script as a usual script kiddie.
Trying to run the script:
Okay, well that was piece of cake.
Now we have the user james.
Browse to /home/james and get the user.txt
Now let’s check for any commands that our user james can run on super user.
We tried to run the command using this shell but were getting some errors, may be let’s try with some reliable shell like netcat shell.
first setup netcat listener using the below command on a tab:
nc -nlvp (port number to listen for example 1111,1234,8888 etc)
And on the victim machine send the below command:
Now let’s get back to the privilege escalation part again,
we get /usr/bin/knife/ as command which can be run by the james user with high privileges.
Now use the /usr/bin/knife command to get root shell.
sudo /usr/bin/knife exec — exec “exec ‘/bin/sh -i’”
Bingo we’re root now, browse to the /root directory and get the root flag as well.