Knife

Summary

Knife is an easy Linux box the is vulnerable to an old PHP backdoor and has a simple sudo privilege escalation.

Step

Recon

First step is to always run a portscan against our target. Most will use nmap but I prefer rustscan as it is faster. So run rustscan and we see that port 22 and port 80 are open.

rustscan -a 10.10.10.242
Results of rustscan

Typically when just ports 22 and 80 are open, I focus on the webserver first. One of the things I like to do is to either use the browser extension "wappalyzer" or to run the command whatweb against the webserver to see what technologies they are running.

whatweb 10.10.10.242
http://10.10.10.242 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]

In this instance we can see that it is running PHP version 8.1.0-dev, which is vulnerable to a well known backdoor. I used flast101's exploit from github to gain user access to the machine.

Initial Access

Using the exploit, we are able to gain an interactive session on the target.

Exploiting the backdoor and gaining access as 'james'

Now that we have access, we can go to james' home directory and get the user flag:

Privilege Escalation

The privilege escalation for this box is fairly simple, and given away by the name of the box. By running sudo -l, we are able to see any binaries you can run on the target as root.

results of sudo -l

In this case, we are able to run /usr/bin/knife as root, without needing to know james' password. We can also see that this binary is a link to another binary /opt/chef-workstation/bin/knife.

After some research, I was able to find the this binary is capable of running arbitrary commands. So by running as root, you essentially have full access to the system.

sudo /usr/bin/knife exec "--exec '/bin/sh -i'"

Last updated