Knife

Keywords: CVE, ssh

So this is a short version written some time after I finished the machine. To sum it up the basic enumeration with nmap, gobuster and so on didn't show that much usefull. Also the webiste at http://<ip> didn't give us much.

Using Nikto revealed what version of PHP that was running. When testing and intercepting a request with Burp shows PHP-version with DEV. This should not be in an production site and shows that something is wrong.

When searching on Google for the PHP-version we find an exploit. Edit the request in burp and we get command execution. We set up a listener in our terminal with nc -lvnp 9001. We edit the Burp-request and fill in a bash reverse shell command and get reverse shell connected to our listener. (Didn't note down what reverse command, but can be found at https://revshells.com)

When inside machine there is a .ssh folder with .id_rsa and .id_rsa.pub. There is no authorized_keys file, so move the .id_rsa into authorized_keys and change mod to 600 (chmod authorized_keys 600).

Copy the key and store it on your own computer. Then use ssh james@knife.htb -i id_rsa in order to connect. We can also move our own id_rsa.pub-file into authorized keys and connect with ssh and give our id_rsa as key. This will work.

Then use sudo -l and this shows that we can run knife as sudo. Use gtfo-bin and search for knife. Run the command and we get sudo!