HTB: Knife Walkthrugh

Plattform: Hack the Box
Link: https://www.hackthebox.com/machines/knife
Difficulty: Easy 🟠

Enumeration

As usual start with nmap..

nmap -A -T5 -sV -sT knife.htb -oN nmap-knife.txt
PORT      STATE    SERVICE  VERSION
22/tcp    open     ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp    open     http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
3158/tcp  filtered stvp

Port 80 is open, the website which is hosted is just a static page nothing special to find there. So lets see whats running under the hood.

PHP 8.1.0 DEV looks interesting, lets see if there is a vulnerability.

https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/README.md

An exploit for that can easily be found with searchsploit.

Shell

Unfortunately, the shell is not very stable and you can’t change directories. However, you can still view files from other directories using cat, which allows you to obtain the user flag.

Root-Shell

II made several attempts to use the exploit from GTFO Bins by copying files to the system and executing them as a Ruby script. Unfortunately, it didn’t work.

https://gtfobins.github.io/gtfobins/knife

The conclusion is that a more stable shell is needed. After taking another look around the system, I found James’s SSH key. By adding it to the list of authorized keys, I was able to successfully connect to the system via SSH.

The new shell is stable enough to run the GTFO Bins exploit successfully, which results in gaining a root shell.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert