HackTheBox-Knife

Hello everyone , in this post I will be sharing my writeup for HTB Knife machine which was an easy linux machine but was a bit tricky to find the foothold as the web page didn’t had anything except for a static html page , so looking at the response headers it revealed the PHP version which was 8.1.0-dev which recently had a backdoor in it’s github repo by malicious attackers by adding “User-Agentt: zerodium” in the request headers which would allow us to execute any php code , that gave us the foohold then after getting on the machine we were user “james” which had sudo permissions to run a binary called “knife” through which we can execute ruby scripts or commands and get a shell as root .

NMAP

PORT 80 (HTTP)

On the webserver we only get a static web page

I didn’t find anything on the site, it’s a php page so I tried default parameters but it didn’t work too so I ran a nikto scan which is useful for identifying vulnerabilites on web server

Nikto

On running nikto , I came to know the version of php it's using which is PHP/8.1.0-dev

On march 2021 this version was implanted with a backdoor which is discovered and removed the github repo,attacker can execute arbitrary code by sending the User-Agentt header

https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md

So let’s test this by following what’s in the github repo

https://www.zdnet.com/article/official-php-git-server-targeted-in-attempt-to-bury-malware-in-code-base/

This works, according to the findings ,the User-Agnett header needs zerodium and after that we can supply php commands so we could execute commands and get RCE

We can grab the id_rsa from james's home folder

But the ssh key doesn’t work, so replace the public ssh key

Also add that public key to authorized_keys

Doing sudo -l we can see what we can run as sudo

Let’s see the help menu for knife

If we scroll down a little we can that we can execute ruby scripts meaning we can run shell commands

So I added my public ssh key in /root/.ssh/authorized_keys/ . we could have gotten a reverse shell or made bash SUID

Getting a reverse shell

BS CS undergraduate | CTF Player