> For the complete documentation index, see [llms.txt](https://writeups.drngd0tter.red/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://writeups.drngd0tter.red/hackthebox/knife.md).

# Knife

## Summary

[Knife](https://app.hackthebox.com/machines/Knife) is an easy Linux box the is vulnerable to an old PHP backdoor and has a simple sudo privilege escalation.

## Step

### Recon

First step is to always run a portscan against our target. Most will use nmap but I prefer rustscan as it is faster. So run rustscan and we see that port 22 and port 80 are open.

```
rustscan -a 10.10.10.242
```

<figure><img src="/files/V4SxhBALHEaKqHr8VbdQ" alt=""><figcaption><p>Results of rustscan</p></figcaption></figure>

Typically when just ports 22 and 80 are open, I focus on the webserver first. One of the things I like to do is to either use the browser extension "wappalyzer" or to run the command `whatweb` against the webserver to see what technologies they are running.

```
whatweb 10.10.10.242
```

```
http://10.10.10.242 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]
```

In this instance we can see that it is running PHP version 8.1.0-dev, which is vulnerable to a well known backdoor. I used [flast101's exploit from github](https://github.com/flast101/php-8.1.0-dev-backdoor-rce) to gain user access to the machine.

### Initial Access

Using the exploit, we are able to gain an interactive session on the target.

<figure><img src="/files/AcTSJ9WNWq51yd5P7DKc" alt=""><figcaption><p>Exploiting the backdoor and gaining access as 'james'</p></figcaption></figure>

Now that we have access, we can go to james' home directory and get the user flag:

<figure><img src="/files/pzphEAPsKrmi4JsHACSy" alt=""><figcaption></figcaption></figure>

### Privilege Escalation

The privilege escalation for this box is fairly simple, and given away by the name of the box. By running `sudo -l`, we are able to see any binaries you can run on the target as root.

<figure><img src="/files/VD1ud7vNmxVAPxWBCg0f" alt=""><figcaption><p>results of <code>sudo -l</code></p></figcaption></figure>

In this case, we are able to run `/usr/bin/knife` as root, without needing to know james' password. We can also see that this binary is a link to another binary `/opt/chef-workstation/bin/knife`.

<figure><img src="/files/cq9oMbUcIQAuDKdZHoXj" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/alJk0gNDz44x4014ZZT2" alt=""><figcaption></figcaption></figure>

After some research, I was able to find the this binary is capable of running arbitrary commands. So by running as root, you essentially have full access to the system.

```
sudo /usr/bin/knife exec "--exec '/bin/sh -i'"
```

<figure><img src="/files/PiWK2bSjEzc94Wx5Ktqa" alt=""><figcaption></figcaption></figure>
