HackTheBox Writeup — Knife
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.11.242
Port Scan / Enumeration
nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.242
Way to User
As Port 80 for Web was open, I check the website on the browser
Nothing interesting, but there were options available but no clickable links
Checking more information on Wapplyzer, I found that PHP version to be running as 8.1.0
Also analyzing the response on Burp Suite, I found out that the website is powered by PHP-8.1.0-dev
There is a publicly available exploit for this version of PHP available on Exploit-DB
Using the exploit and getting shell directly as user james
Since this is not a proper shell, I opted for a better shell
Getting the user flag successfully on the user’s home directory
Way to Root
Checking the sudoer’s entry, it was found that the user james can run sudo as root without password on /usr/bin/knife
There was an entry exploit for this available on GTFOBINS
Using this to exploit the vulnerability and getting shell as root
Getting the root flag from root’s home directory