Hack The Box — Knife

Hey everyone, today we have a new Linux machine from hack the box ‘’Knife’’ which is an easy machine and have new techniques, let’s take a look at info card.

We must first define a methodology to follow in order to solve any machine and organize our thinking.

Methodology :

1. DNS Enumeration
2. Website Enumeration (if it’s exist)
3. Scanning
4. Gain Access (Exploitation)
5. Privilege Escalation (Post-Exploitation)
6. Capture The Flag
7. Submit The Flag

1. DNS Enumeration :

In this step we need to know open ports , Mac address, port’s services , OS version , Kernel version, etc.

To get this information we will use Nmap tool (built-in Linux) if you don’t know what is Nmap search in google about it

nmap -A -T4 -sC -oG knife.gnmap 10.10.10.242

• -A → to detect all information like operating system, port’s services, scripts, versions, etc
• -T4 → to increase the threads “increase speed”
• -sC → to default scritp scan
• -oG → to make gnmap file to use it for brute forcing the services like ssh,ftp,smb if exists.

To know more about options use nmap -h

from the result of nmap we have two open ports here ssh(22) and http(80).

Let’s search for any vulnerability in ports service using searchsploit

we don’t find any vulnerability in service :( let’s try to bruteforce the ssh credentials using brutespray and gnmap file which we have create it

brutespray -f knife.gnmap

but unfortunately , it found nothing :(

so let’s moving to the website to enumerate it.

2. Website Enumeration :

first we must define the domain in /etc/hosts

10.10.10.242 knife.htb

done, now let’s open it in the browser and enumerate the website http://10.10.10.242/

After enumerating the static webpage and read the page source code I found nothing.

So, now let’s brute force the directories using gobuster

But also I found Nothing interesting so let’s run Nikto and read the result .

Nice I found some interesting data here I found the PHP version let’s search for any exploit to this PHP version in exploit-db

BINGOO :) I found RCE here, Now let’s Download the python script and run it in my local terminal

Done, got shell with user privilege let’s now try to get ssh private key of user James to login with it but I found nothing in .ssh/ directory so le’t generate our key and send it to the victim machine and login ssh with it

3.Gain Access:

let’s now send it to the victim and save it in authorized_keys file in .ssh/ directory to access it with private key and login SSH success.

Now let’s login with private key that is generated before

BINGOO :) We now have SSH as user James so let’s read user.txt file

4. Privilege Escalation:

Done, Now let’s upgrade our privilege to get root access. First thing I run command “Sudo -l” and see if I have sudo privilege or not

NICE, I have sudo privilege and I can run knife command as a root so let’s go to the GTFOines website and search for knife

Ok let’s take this command and run it in victim machine to get root access

BINGOO, we have root access now let’s try to read root.txt file

ROOTED ❤️❤️

STAY IN TOUCH → TWITTER