HackTheBox Writeup — Knife

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is

Port Scan / Enumeration

Way to User

As Port 80 for Web was open, I check the website on the browser

Nothing interesting, but there were options available but no clickable links

Checking more information on Wapplyzer, I found that PHP version to be running as 8.1.0

Also analyzing the response on Burp Suite, I found out that the website is powered by PHP-8.1.0-dev

There is a publicly available exploit for this version of PHP available on Exploit-DB

Using the exploit and getting shell directly as user james

Since this is not a proper shell, I opted for a better shell

Getting the user flag successfully on the user’s home directory

Way to Root

Checking the sudoer’s entry, it was found that the user james can run sudo as root without password on /usr/bin/knife

There was an entry exploit for this available on GTFOBINS

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover