026#:HTB - Knife
It feels like I haven’t hacked in ages at this point. Checking my post history, I haven’t done a room in over a month (since I started working on the WiFi Pineapple). Let’s see how rusty I got in that time.
Only two ports open. Not much to do besides starting a directory scan and begin checking out their website.
Our first gobuster scan didn’t return anything useful, so I resorted to just exploring the site and its source code. There was some JS in there for visual effects but I don’t think I see anything usable here. With lack of direction, I ran another gobuster scan with a larger wordlist. While that ran, I also started looking into vulns for MikroTik but didn’t find anything that applies to the version we discovered.
I am probably missing something obvious, but after a while of getting nowhere I used the guided questions to get me back on track. Task 2 asks us about the version of PHP used. I found this info by intercepting the response in Burpsuite.
I checked searchsploit for anything against ‘php 8.’ which produced a landslide of results. I ran my search again against ‘php 8.1.0-dev’ and got a more managable response.
One of these actually hits on the full string we provided, and it’s a RCE exploit. Seems like a good place to start. I copied the exploit to my local directory and began reviewing it. The first time it failed but then I was able to get initial access with it.
I can’t seem to change my directory but I’m able to poke around a little still. I found the first flag in the /home/james/ directory.
I checked what sudo permissions our user has and it looks like we can run /usr/bin/knife as admin. Let’s go see what knife is.
The full file is tool large to fit in a single pic. I’m not entirely sure what I am looking at, but it looks like it might be a real application and not something made for this room. I started looking into knife on Linux and found this. It looks like it is a part of the Chef app, and with that in mind I can confirm mentions of Chef in the file. Now let’s try to find the version since this is probably our privilege escalation path.
That was easy enough. I originally started looking for vulns, but then decided to try to just edit the knife file myself. This failed and I started reading more about Knife on their documentation page I linked earlier. This entry seemed like it could be abused to get us a reverse shell.
I grabbed pentestmonkey’s Ruby reverse shell script and tried a few times to get it to execute without luck. I decided to check GTFOBins and it turns out I was very close to getting there on my own, my syntax was wrong though. I also didn’t need to try to do a reverse shell since I could just launch a shell as root.
This doesn’t work though and after some tinkering I am left thinking that it’s our session that is causing my issue now. I tried again for a reverse shell but ended up just making an ssh key instead.
Now that we are back in, let’s see if our privilege escalation will work.
As we see, it worked and we got our final flag. This definitely highlights the importance of stabilizing or upgrading your shell session where possible.