Knife is an Easy box from HTB and created by MrKN16H. This box features a PHP and chef based exploit. Running my initial setup scan against the IP provided by HTB GUI – 10.129.7.24 provided weird results to a TCP port. I don’t know if this was a session/display issue but as I have done several boxes recently I navigated to 10.10.10.242 and got a pop. I re-ran my scan and used this IP for the remainder of the guide below.

Showing the HTB personal IP address.

HTB User Flag erroring out.

I start every scan with an RustScan and convert it to a PDF for easier viewing. Normally I have it bundled in my setup script but due to above I re-did the command:

Immediately I see Port 22/80 open. I navigate over and see a EMA Hospital website. No links are present and the website appears to be a simple placeholder.

Showing the EMA website.

I kick off a directory scan and check Wappalyzer to see what the website is running and see PHP is set to version 8.1.0. As I run a website I know that the current stable version of PHP is 8.0.6.

Wappalyzer showing PHP version.

Confirming PHP version.

A short Google later and I find this. I download it to my attack machine and try a command.

as you can see from the results above we are able to get code execution. I run a one-liner and get a shell.

I upgrade my shell to a tty and grab the user flag (which didn’t work as shown above).

I run sudo -l on the majority of Linux based boxes as a first point. When running I see the directory to usr/bin/knife is open. I run ls -l to find out its a symbolic link to chef-workstation.

Showing chef workstation running.

I Googled and found this which states I can run knife exec and launch a Ruby script. I then looked up Ruby reverse shell and found this which I altered and uploaded to the box.

Rooted knife by HTB.