Knife — HackTheBox Write-up (L-E)
Reconnaissance
So we only have 2 interesting ports.
The website is quite empty. All the tab on the upper right is not clickable. Let’s see if we can enumerate some hidden directories.
Enumeration
That’s weird. We don’t have any useful directories.
Snooping around we’ll see that this website is running on PHP 8.1.0
(Or if you have the Wappalyzer plugin, you’ll see this info immediately)
This is good news for us since PHP 8.1.0 have an existing remote code execution vulnerability that you can see here.
Let’s try it out.
And it works! We now have access to the system!
User Flag
Since we already have access, it’s just a simple matter of finding the user flag.
Root Flag
Let’s run a reverse shell to have a more stable connection then spawn a python interactive shell. I used this site to help me generate reverse shell.
Since we can obviously access the root director to get the root flag, let’s check what this user can run.
So we can run the knife command. GTFOBins a great website that lists valid commands we can use in Linux binaries to help us escalate our privilege.
To find the root flag