HTB Knife

Run a nmap scan to find for open ports.

Webpage shows some kind of medical interface.

Gobuster shows its run by PHP

Use the curl command to get more info.

Using searchsploit with the PHP version we are able to get a RCE exploit.

Download the exploit and run the python script.

A shell is gained.

Nothing much besides the ls command be used in this. We can ls the user.txt file.

sudo -l shows that the james user can use sudo knife

We need a sub command to run the knife function. There are multiple sub commands available and after googling, knife exec seems to have some potential.

Run the following ruby script and use the knife command to get the root flag.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s