HackTheBox: Knife Machine Walkthrough – Easy Difficulty

Written by darknite -
on May 23, 2021

In this post, i would like to share walkthrough on Knife Machine.

This room is been considered difficulty rated as EASY machine

Testing

Information Gathering on knife machine

Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

From the result, we got a few ports open such as:

  • 22: OpenSSH 8.2p1
  • 80: Apache httpd 2.4.41

We need to whitelist the domain name for the machine such as knife.htb 

Let’s open the browser and straight into the website interface.

Nothing that we can see on the website

Let’s run nikto to get a clear enumeration on the machine itself. From the nikto result, we notice there’s PHP/8.1.0-dev being stored over here.

Gaining Access on knife machine

Let’s do some research on the PHP/8.1.0-dev exploit but didn’t found anything useful.

Let’s start doing more research

Source: vulhub/README.zh-cn.md at master · vulhub/vulhub (github.com)

I found some github that explain how to esclate from there.

From the github write-up that we read previous, we can execute the command on burpsuite by using the vulnerabilities that been mentioned on the github

The vulnerabillities that we found are User-Agentt: zerodiumsystem(‘any command’);

For us to ensure that it work, let’s test using User-Agentt: zerodiumsystem(‘id’); that been shown within the screenshot above.

From the output previously, we found out that james can be a possible username that configured on the machine.

Let’s replace (‘id’); with our own ssh public key where we can access the machine via ssh service

Before running ssh -i id_rsa james@knife.htb command, we need to give permission 600 to id_rsa so that it will not ask us for permission later on.

We can read the user flag by executing the command “cat user.txt

Escalate to Root Privileges

First thing that i normally do is execute sudo -l and see any SUID(which in this case, we found /usr/bin/knife) that we can use for further Escalation.

If you run /usr/bin/knife on your terminal, it will show you all the command that we can use for knife

We can use sudo knife exec where it will asking us to “Type here a script

We can insert the script with our own ssh public key where we can access the machine via ssh service

Let’s access the machine via ssh service and we managed to access it as shown in the screenshot above

We can read the root flag by executing the command “cat root.txt

-THE END-

Happy Learning, Guys!

Extra Information

We can go to /etc/shadow to unlock the write-up

Categories:

Easy Machine

Tags:

BurpSuiteChallengesHackTheBoxknifeLinuxniktoPenetration Testingphp 8.1.0-dev exploitssh

2 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *