Knife is an Easy box from HTB and created by MrKN16H. This box features a
chef based exploit. Running my initial setup scan against the
IP provided by HTB GUI – 10.129.7.24 provided weird results to a
TCP port. I don’t know if this was a session/display issue but as I have done several boxes recently I navigated to 10.10.10.242 and got a pop. I re-ran my scan and used this
IP for the remainder of the guide below.
Showing the HTB personal IP address.
HTB User Flag erroring out.
I start every scan with an RustScan and convert it to a
PDF for easier viewing. Normally I have it bundled in my setup script but due to above I re-did the command:
Immediately I see Port 22/80 open. I navigate over and see a EMA Hospital website. No links are present and the website appears to be a simple placeholder.
I kick off a directory scan and check Wappalyzer to see what the website is running and see
PHP is set to version 8.1.0. As I run a website I know that the current stable version of PHP is 8.0.6.
Wappalyzer showing PHP version.
A short Google later and I find this. I download it to my attack machine and try a command.
as you can see from the results above we are able to get code execution. I run a one-liner and get a shell.
I upgrade my shell to a tty and grab the user flag (which didn’t work as shown above).
sudo -l on the majority of Linux based boxes as a first point. When running I see the directory to
usr/bin/knife is open. I run
ls -l to find out its a symbolic link to
Showing chef workstation running.
I Googled and found this which states I can run
knife exec and launch a Ruby script. I then looked up Ruby reverse shell and found this which I altered and uploaded to the box.