Knife | HackTheBox Writeup


Knife is an easy Linux based machine in HackTheBox by MrKN16H

User Part

Start with nmap scan found 2 open ports

22: SSH

80: HTTP

After wasting time in directory brute-forcing and other stuff, I checked the header by curl.

I got PHP version 8.1.0-dev.

I  googled about exploit and got RCE to exploit.

Using that exploit I got RCE and now I am james.

For further privilege escalation, I want the tty shell.

for that, I opened Netcat listener in my local machine and got the shell back.

Root Part

I checked for the commands that I can run with root privilege.

I can run /usr/bin/knife with root privilege.

I checked the help page and I can execute the command using ‘exec’. 

Then I checked for “knife exec -h” help command and I can execute the code by adding ‘-E’ option.

Then i checked what file is this, and I found it’s a symbolic link to /opt/chef-workstation/bin/knife.

so I checked what file is /opt/chef-workstation/bin/knife and got it’s a ruby file.

I checked ruby in GTFOBins and got this command.

I executed that and got root shell and root flag.

Share on facebook
Share on twitter
Share on linkedin