Knife - [HTB]
![Cover Image for Knife - [HTB]](/assets/images/blog/Knife-htb/Knife.png)
Introduction
Knife is an easy Linux machine from HackTheBox where the attacker will obtain a reverse shell from a PHP backdoor getting he user flag. FInally, will have to use the tool knife in order to obtain a shell as root.
Enumeration
As always, let's start finding all opened ports in the machine with nmap.
Then, we continue with a deeper scan of each opened port, getting more information about each service.
Taking a look at the web page technologies we can see that it uses PHP 8.1.0.
This version was famous because some cyber criminals inserted a BACKDOOR inside the php source code. You can reed the history here.
In order to check if this machine is vulnerable, you can internect and modify the request with burp, adding the header User-Agentt with the value zerodiumvar_dump(3*3);.
The result of the operation.
Explotation
Because it is PHP we can use some functions in order to execute shell commands.
Request:
Response:
In order to obtain a reverse shell you need to use the following command, obtaining the user flag.
Privilege escalation
As we can see, we can execute the /usr/bin/knife file as root without password.
knife is a command-line tool written in ruby that provides an interface between a local chef-repo and the Chef Infra Server.
After reading the documentation, we can know how to execute commands on the victim machine. The command is the following.