So we only have 2 interesting ports.
The website is quite empty. All the tab on the upper right is not clickable. Let’s see if we can enumerate some hidden directories.
That’s weird. We don’t have any useful directories.
Snooping around we’ll see that this website is running on PHP 8.1.0
(Or if you have the Wappalyzer plugin, you’ll see this info immediately)
This is good news for us since PHP 8.1.0 have an existing remote code execution vulnerability that you can see here.
Let’s try it out.
And it works! We now have access to the system!
Since we already have access, it’s just a simple matter of finding the user flag.
Let’s run a reverse shell to have a more stable connection then spawn a python interactive shell. I used this site to help me generate reverse shell.
Since we can obviously access the root director to get the root flag, let’s check what this user can run.
So we can run the knife command. GTFOBins a great website that lists valid commands we can use in Linux binaries to help us escalate our privilege.
To find the root flag