Box Info
  • Name: Knife
  • OS: Linux
  • Difficulty: Easy
  • IP: 10.10.10.242
  • Points: 20
  • Machine Creator: MrKN16H

Introduction

Knife is a fun box which uses a PHP version having backdoor, which leads to RCE.

The box has a command named knife which lets non-superusers run commanad as root.


Enumeration

$ nmap -sC -sV -oA nmap 10.129.119.63
# Nmap 7.80 scan initiated Sun May 23 08:04:02 2021 as: nmap -sC -sV -oA nmap 10.129.119.63
Nmap scan report for 10.129.119.63
Host is up (0.13s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 23 08:04:23 2021 -- 1 IP address (1 host up) scanned in 21.42 seconds

Nmap revels that SSH and Apache (2.4.41) are available on their default ports.

Let’s visit the website on port 80.

knife.htb on port 80

Surfing the website we don’t find anything interesting, as this is the only page we have here!!

But fetching with cURL shows us that the website id powered by PHP/8.1.0-dev

knife-php-8.1.0dev


Foothold

On searching for PHP/8.1.0-dev reveals that

PHP verion 8.1.0-dev was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. 1

We have an RCE for PHP 8.1.0-dev here: https://www.exploit-db.com/exploits/49933

Downloading the script and running it on out target we get shell, with user james

RCE with shell of user james


Lateral Movement

Now that we have shell into the box, we add ourself to the .ssh/authorized_keys file 2 so that we can log in as user james via SSH

We do this by putting our public copy ssh-key (for ex. .ssh/id_rsa.pub) into /home/james/.ssh/authorized_keys.

$ echo "ssh-rsa AAAAB██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████= kali@kaliubuntu" >> /home/jame/.ssh/authorized_keys

We can now login via SSH. as ssh james@knife.htb

We can now read the user.txt from james’s home direcory, /home/jame/user.txt

user.txt


Privilege Escalation

To list user’s privileges we use sudo -l or sudo --list 3

output of sudo -l

We see that we can run the command /usr/bin/knife as root without entering any password.

On running /usr/bin/knife -h we see a list of available sub-commands which we can use with knife. There is a command exec with which we can invoke other commands.

So, we run sudo knife exec then type exec "/bin/bash" to get the shell as root! We can now read root.txt flag.


  1. https://flast101.github.io/php-8.1.0-dev-backdoor-rce/ ↩︎

  2. https://www.ssh.com/academy/ssh/authorized-keys-file ↩︎

  3. https://explainshell.com/explain?cmd=sudo+-l ↩︎