# Knife

## Summary

[Knife](https://app.hackthebox.com/machines/Knife) is an easy Linux box the is vulnerable to an old PHP backdoor and has a simple sudo privilege escalation.

## Step

### Recon

First step is to always run a portscan against our target. Most will use nmap but I prefer rustscan as it is faster. So run rustscan and we see that port 22 and port 80 are open.

```
rustscan -a 10.10.10.242
```

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2FUcVWCry6O4fDQsYjbMZO%2Fimage.png?alt=media&#x26;token=22a53235-82be-4192-9474-25f89e22d8da" alt=""><figcaption><p>Results of rustscan</p></figcaption></figure>

Typically when just ports 22 and 80 are open, I focus on the webserver first. One of the things I like to do is to either use the browser extension "wappalyzer" or to run the command `whatweb` against the webserver to see what technologies they are running.

```
whatweb 10.10.10.242
```

```
http://10.10.10.242 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]
```

In this instance we can see that it is running PHP version 8.1.0-dev, which is vulnerable to a well known backdoor. I used [flast101's exploit from github](https://github.com/flast101/php-8.1.0-dev-backdoor-rce) to gain user access to the machine.

### Initial Access

Using the exploit, we are able to gain an interactive session on the target.

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2Fd5oo6gQAAa70YennfUAQ%2Fimage.png?alt=media&#x26;token=401fc3a6-15a9-4f41-b492-86d94c92a6a7" alt=""><figcaption><p>Exploiting the backdoor and gaining access as 'james'</p></figcaption></figure>

Now that we have access, we can go to james' home directory and get the user flag:

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2F7FPRZuZeU9EEbS40VReN%2Fimage.png?alt=media&#x26;token=9cb76ff1-a197-4f38-932d-033ebbb93d46" alt=""><figcaption></figcaption></figure>

### Privilege Escalation

The privilege escalation for this box is fairly simple, and given away by the name of the box. By running `sudo -l`, we are able to see any binaries you can run on the target as root.

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2FHtaTh5uGYgx1WfR7b6KV%2Fimage.png?alt=media&#x26;token=de5eff29-3b2d-4932-b455-95ee5563f86d" alt=""><figcaption><p>results of <code>sudo -l</code></p></figcaption></figure>

In this case, we are able to run `/usr/bin/knife` as root, without needing to know james' password. We can also see that this binary is a link to another binary `/opt/chef-workstation/bin/knife`.

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2FYy1p4XwTDQlQNOQ7671f%2Fimage.png?alt=media&#x26;token=bd4cf42b-e9e2-49d8-a6e1-ae5384acb349" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2Fn7OSU31EoJNGrBd7XKFi%2Fimage.png?alt=media&#x26;token=b413ed96-d807-4320-83a8-f1299adbf2e9" alt=""><figcaption></figcaption></figure>

After some research, I was able to find the this binary is capable of running arbitrary commands. So by running as root, you essentially have full access to the system.

```
sudo /usr/bin/knife exec "--exec '/bin/sh -i'"
```

<figure><img src="https://1164192159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fm71shRSLLSt3up2Lmjlx%2Fuploads%2FFZfiOAzyixV2G1GOpL9l%2Fimage.png?alt=media&#x26;token=a73c6186-86eb-4edf-aace-7e5a8fa689b2" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.drngd0tter.red/hackthebox/knife.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.