⛔Introduction/Release Arena

Knife is an Easy box from HTB and created by MrKN16H. This box features a PHP and chef based exploit. Running my initial setup scan against the IP provided by HTB GUI – 10.129.7.24 provided weird results to a TCP port. I don’t know if this was a session/display issue but as I have done several boxes recently I navigated to 10.10.10.242 and got a pop. I re-ran my scan and used this IP for the remainder of the guide below.

Showing the HTB personal IP address.

Showing the HTB personal IP address.

HTB User Flag erroring out.

HTB User Flag erroring out.

05.25.21 – As this was my first Release Arena machine I learned the hard way that I really need to learn to read. I did not spawn a VPN for the Release Arena which caused me to get incorrect scans. Going on via the Release Arena PwnBox today and grabbing the flags this way worked. I changed the heading on the Release Arena machine page😂😒 for my reference going forward.

🔎🦶Enumeration/Foothold

I start every scan with an RustScan and convert it to a PDF for easier viewing. Normally I have it bundled in my setup script but due to above I re-did the command:

Copy

Immediately I see Port 22/80 open. I navigate over and see a EMA Hospital website. No links are present and the website appears to be a simple placeholder.

Showing the EMA website.

Showing the EMA website.

I kick off a directory scan and check Wappalyzer to see what the website is running and see PHP is set to version 8.1.0. As I run a website I know that the current stable version of PHP is 8.0.6.

Wappalyzer showing PHP version.

Wappalyzer showing PHP version.

Confirming PHP version.

Confirming PHP version.

A short Google later and I find this. I download it to my attack machine and try a command.

Copy

as you can see from the results above we are able to get code execution. I run a one-liner and get a shell.

Copy

🔝Escalation

I upgrade my shell to a tty and grab the user flag (which didn’t work as shown above).

Copy

I run sudo -l on the majority of Linux based boxes as a first point. When running I see the directory to usr/bin/knife is open. I run ls -l to find out its a symbolic link to chef-workstation.

Showing chef workstation running.

Showing chef workstation running.

I Googled and found this which states I can run knife exec and launch a Ruby script. I then looked up Ruby reverse shell and found this which I altered and uploaded to the box.

⚠ Attack Machine

Copy

🎯Victim Machine

Copy
Rooted knife by HTB

Rooted knife by HTB.

Rooted

Published On: August 27th, 2021 / Categories: HTB, Technology / Tags: , , , , /

Leave A Comment