Knife

Enumeration

Ports and Services

Software Installed:

• Apache/2.4.41
• PHP/8.1.0-dev

Nmap Scan Results:

Initial Foothold

The version of PHP is vulnerable to RCE.
URL: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Basically add User-Agentt: zerodiumsystem(‘COMMAND’); to the headers. It was a backdoor in the php source code added in March and fixed.

Retrieved ssh private key of James:

Before attempting SSH I copied the /home/james/.ssh/id_rsa.pub to home/james/.ssh/authorized_keys

User.txt Proof Screenshot

Privilege Escalation

Sudo -l:

Looks like they are using chef-workstation

https://docs.chef.io/platform_overview/

Chef is run on ruby.
Put test code to a ruby script and executed

system('/usr/bin/id')

Grabbed a shell

system('/bin/bash')

RootScreenshot Here: