Htb Knife Linux | hackthebox

NETWORK

Looking into the http port 80, we can see the following

Whatweb has revealed that the website is using PHP/8.1.0-dev

Using exploit-db we have found a python script which exploit “PHP/8.1.0-dev” which is known to be vulnerable ‘User-Agentt’ Remote Code Execution

Let’s copy our public key on the server

~/.ssh cat attack.pub | xclip -selection "clipboard"

echo "ssh-rsa AAAAB3XXXXXXX= clobee@kali" > ~/.ssh/authorized_keys

We can then connect to the server via ssh

Looking into the sudo permissions for user James

We noticed that this user is allowed to run a command named knife.

Using this script

and then in vi doing bash -i we get root