Knife | HackTheBox Writeup
Start with nmap scan found 2 open ports
After wasting time in directory brute-forcing and other stuff, I checked the header by curl.
I got PHP version 8.1.0-dev.
I googled about exploit and got RCE to exploit.
Using that exploit I got RCE and now I am james.
For further privilege escalation, I want the tty shell.
for that, I opened Netcat listener in my local machine and got the shell back.
I checked for the commands that I can run with root privilege.
I can run /usr/bin/knife with root privilege.
I checked the help page and I can execute the command using ‘exec’.
Then I checked for “knife exec -h” help command and I can execute the code by adding ‘-E’ option.
Then i checked what file is this, and I found it’s a symbolic link to /opt/chef-workstation/bin/knife.
so I checked what file is /opt/chef-workstation/bin/knife and got it’s a ruby file.
I checked ruby in GTFOBins and got this command.
I executed that and got root shell and root flag.