Knife machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags by using these vulnerabilities.
To recognize the target machine, we first perform a network scan with nmap.
Classic Scan
As a result of the port scan, it was seen that ports 22/tcp ssh OpenSSH 8.2p1 and 80/tcp http Apache httpd were open on the target machine.
Since there is no vulnerability on port 22, we will continue on port 80.
Since http service is provided, let’s provide enumeration via browser.
Here in the program langugage section we see that the version of php is minus. Let’s do a Google search to see if there is an exploit for this. Before searching, let’s run a directory and file scan with gobuster.
The scan did not find many results
Vulnerability research
We have seen that there is a vulnerability, let’s try to use the exploit at exploit-db
If we look at this vulnerability in general terms before using it, if this version of php is running on the server, the attacker can run arbitrary code by sending a User-Agent header. This can be detected in various ways using the version of the software language, we detected it from web analyzer and most people were able to detect it using the curl command.
Let’s download the exploit code and try to run it
As you can see, as soon as we ran the exploit code, it gave us Shell
This Shell we were given was not very effective, so we gave ourselves a revershell and got our user flag.
We did not have access to the root directory, so we provided local enumeration to elevate authorization.
First, we used the sudo -l command to look at the applications we can use with sudo privileges.
We can use /usr/bin/knife with root privileges without password.
Knife is a cli tool that provides an interface between the local chef repository and the chef infra server. To run commands with root privileges with this tool, we search for it on the gtfobins website.
We are told that we can access root privileges by running sudo knife exec -E ‘exec “/bin/sh”‘, let’s try it now.
As you can see, we have reached root authorization and we were able to obtain our root flag.