HackTheBox Writeup — Knife

Faisal Husaini
3 min readAug 28, 2021

--

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.11.242

Port Scan / Enumeration

nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.242

Way to User

As Port 80 for Web was open, I check the website on the browser

Nothing interesting, but there were options available but no clickable links

Checking more information on Wapplyzer, I found that PHP version to be running as 8.1.0

Also analyzing the response on Burp Suite, I found out that the website is powered by PHP-8.1.0-dev

There is a publicly available exploit for this version of PHP available on Exploit-DB

Using the exploit and getting shell directly as user james

Since this is not a proper shell, I opted for a better shell

Getting the user flag successfully on the user’s home directory

Way to Root

Checking the sudoer’s entry, it was found that the user james can run sudo as root without password on /usr/bin/knife

There was an entry exploit for this available on GTFOBINS

--

--

Faisal Husaini
Faisal Husaini

Written by Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover

No responses yet