Welcome to my first post on the HTB walkthrough. In this post, I will discuss how I have owned this machine in less than 10 minutes. This machine was very beginner-friendly and tests your google search skills and was based on exploiting a very trivial vulnerability that leads to compromising the server
Link of the machine: https://app.hackthebox.eu/machines/Knife
Using Nmap initially to find open ports and services
nmap -d -p- -Pn -sV -T4 10.10.10.242
From the experience, I don't find much information on SSH, so let's skip it and focus on the HTTP port as of now
So, on checking this application and running dirbuster for the most common 1000 directories and files, I found nothing. So it means, we need to enumerate the service even more.
Let's start with the HTTP headers. If you are new to recon using Nmap, I have already written some articles on secjuice. Feel free to read those after this.
nmap -p80 --script http-headers 10.10.10.242
Everything seems OK, but the -dev in php version appeared juicy. So, I had searched on google regarding this
So, the first link was sufficient in exploiting this service.
After cloning the Github repository, and execute the following file
$ python3 backdoor_php_8.1.0-dev.py
You can go ahead and retrieve the flag
This is my first technique in the Linux toolbox is to check and abuse sudo misconfigs. To check the current user permissions use
On google search, again, I found that knife is an automation framework that is created by the chef team and is written in ruby. Also, one more thing I found is that you can execute any ruby script with it
Now all you have to do is
- Get interactive shell, use
- Save the ruby file to spawn shell (https://netsec.ws/?p=337)
- Execute it with
sudoto get escalated shell
- Retrieve the flag of the root user
To know more about the working of sudo and how to exploit the misconfiguration in the sudoers file. I would recommend you to read these two posts – Understanding
sudo in Linux and Exploiting Sudo Misconfigurations