HackTheBox: Knife | My Journey

Let’s start with recon using nmap

Great, 2 port are open. let’s check the http server.

nothing special huh. let’s take some directory fuzzing.

a login page?

nope. That just rabbit hole (?). The page still rendering index.php

okay.. move to next step. Let’s check what technologies this website use. I use wallaplyzer here

Maybe there’s outdated tech? Let’s check if PHP have any CVE.

And fortunally, there was.
https://www.exploit-db.com/exploits/49933

Download the exploit and execute it.

and i got user shell.

But because this shell isn’t too inteactive ( cant move to other directories ), so i gonna make reverse shell first.

host :

victim :

Okay, let’s see if we can doing privilege escalation. I use sudo -l as usual.

As you can see, i can execute program calles knife with sudo. Let’s check this interesting program with executing it.

there’s a lot of sub-command that you can use. I check it one per one until i found something interesting.

After reading the documentation, i found something interesting about that subcommand.

Source : https://docs.chef.io/workstation/knife_exec/

Let’s see if we can execute ruby command to gain root shell.

and gotcha.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store