Header Ads

HackTheBox Knife Writeup

August 24, 2021 0

Hello, Hackers!! In this blog post we will solve the HackTheBox machine Knife. I enjoyed solving the machine myself. Now I want to guide you if you're stuck.  This box is created by MrKN16H7. Without wasting time, let's get into the box.

Enumeration

Remember, every machine you want to solve, the first thing you have to do is port scan. This is a kind of a first rule for solving boxes or machines. Enough with beginner tips.
I used rustscan for ports. It's so much faster than nmap.


So, we have 2 ports open, 22 and 80. Port 80 has http service. We should visit it.


This is a hospital webpage, I think. But it has no other directories. This is weird for a webpage. Let's search for directory. I used gobuster
 $ gobuster dir -w .........../common.txt -u http://10.10.10.242/ 
Sadly, we found nothing but a index.php file. Burpsuite  can be a help here. It does some silent search for directories.


It also found nothing. But if you see the response of the url, you will see something interesting.


There is header named X-Powered-By and it's value is "PHP/8.1.0-dev". We should google it. If we are lucky we can find a exploit or vulnerability.

We found one. It has RCE vulnerability. We also found a github repository containing a python reverse shell for this version of php. Let's copy the code in our system. Check out the help menu of the shell. It takes target url  , attacker ip and attacker port .


And we have to set up a listener in our machine.
 $ nc -lvnp 1234 


And we got a shell!! Looks like the owner of the system is james. we can find the user flag from here easily.



Privilege Escalation

Now we have to get root access to find the root flag . At first I copied the ssh private key of james and tried to crack it with john but It took a lot of time. So I assume it didn't work. Then I tried in another way. I copied my machine's public key and paste in the target machine with echo . And sent the public key into authorized_keys so that it recognizes me.
 $ echo "Your_Public_key" > ~/.ssh/authorized_keys 


Now connect with target's ssh using your key.
 $ ssh james@10.10.10.242 -i ~/.ssh/id_rsa 


Bingo!!! We're in as james. Let's find for a hole in the system. If you run sudo -l command, you will find something interesting.


This looks like a binary. It has a big help menu though. After reading the menu and some googling, I found that it can read config file written in ruby and also execute a ruby file. To execute a file, we should use knife exec  command. So I wrote a one liner ruby file which only executes /bin/bash . If you search in GTFOBins, you can see /bin/bash has sudo privilege.
 $ nano file.rb 
      exec("/bin/bash") 
Then, save the file. And run it with sudo .
 $ sudo /usr/bin/knife exec file.rb 


Bang!!! We are groot(I mean root). You know where to find the root flag.


That's it for today. I'll see you in the next post. Happy Hacking😊😊
Tags:

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.