# Knife

## Summary

[Knife](https://app.hackthebox.com/machines/Knife) is an easy Linux box the is vulnerable to an old PHP backdoor and has a simple sudo privilege escalation.

## Step

### Recon

First step is to always run a portscan against our target. Most will use nmap but I prefer rustscan as it is faster. So run rustscan and we see that port 22 and port 80 are open.

```
rustscan -a 10.10.10.242
```

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2FUcVWCry6O4fDQsYjbMZO%2Fimage.png?alt=media&#x26;token=22a53235-82be-4192-9474-25f89e22d8da" alt=""><figcaption><p>Results of rustscan</p></figcaption></figure>

Typically when just ports 22 and 80 are open, I focus on the webserver first. One of the things I like to do is to either use the browser extension "wappalyzer" or to run the command `whatweb` against the webserver to see what technologies they are running.

```
whatweb 10.10.10.242
```

```
http://10.10.10.242 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]
```

In this instance we can see that it is running PHP version 8.1.0-dev, which is vulnerable to a well known backdoor. I used [flast101's exploit from github](https://github.com/flast101/php-8.1.0-dev-backdoor-rce) to gain user access to the machine.

### Initial Access

Using the exploit, we are able to gain an interactive session on the target.

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2Fd5oo6gQAAa70YennfUAQ%2Fimage.png?alt=media&#x26;token=401fc3a6-15a9-4f41-b492-86d94c92a6a7" alt=""><figcaption><p>Exploiting the backdoor and gaining access as 'james'</p></figcaption></figure>

Now that we have access, we can go to james' home directory and get the user flag:

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2F7FPRZuZeU9EEbS40VReN%2Fimage.png?alt=media&#x26;token=9cb76ff1-a197-4f38-932d-033ebbb93d46" alt=""><figcaption></figcaption></figure>

### Privilege Escalation

The privilege escalation for this box is fairly simple, and given away by the name of the box. By running `sudo -l`, we are able to see any binaries you can run on the target as root.

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2FHtaTh5uGYgx1WfR7b6KV%2Fimage.png?alt=media&#x26;token=de5eff29-3b2d-4932-b455-95ee5563f86d" alt=""><figcaption><p>results of <code>sudo -l</code></p></figcaption></figure>

In this case, we are able to run `/usr/bin/knife` as root, without needing to know james' password. We can also see that this binary is a link to another binary `/opt/chef-workstation/bin/knife`.

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2FYy1p4XwTDQlQNOQ7671f%2Fimage.png?alt=media&#x26;token=bd4cf42b-e9e2-49d8-a6e1-ae5384acb349" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2Fn7OSU31EoJNGrBd7XKFi%2Fimage.png?alt=media&#x26;token=b413ed96-d807-4320-83a8-f1299adbf2e9" alt=""><figcaption></figcaption></figure>

After some research, I was able to find the this binary is capable of running arbitrary commands. So by running as root, you essentially have full access to the system.

```
sudo /usr/bin/knife exec "--exec '/bin/sh -i'"
```

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2FFZfiOAzyixV2G1GOpL9l%2Fimage.png?alt=media&#x26;token=a73c6186-86eb-4edf-aace-7e5a8fa689b2" alt=""><figcaption></figcaption></figure>