Member-only story
I have never completed a box in HTB without any hint or clue from different forums and Google search until the Knife machine. It is fairly an easy machine and this is how I was able to get to the user flag of it.
Step 1:
Used nmap to find open ports. Got only two — ssh and http. I knew I would be wasting time trying to break into ssh, so I started working on the http port 80 right away.
Step 2:
The website hosted on the port 80 was very simple and basic. I tried running dirb but did not find any directories. I also ran nikto on the site but got nothing exploitable.
Step 3:
Mostly, I do not use this tool for CTF tasks but it became necessary to use Burp as I was getting nowhere with this task. I captured the request and analyzed the response with the burp repeater.
Here, I saw that X-Provided-By header in the request has “php/8.1.0-dev” value in it. The “dev” means in-development mode, so I searched on the net for any any bugs present in php/8.1.0-dev for exploitation. Fortunately, I stumbled upon a RCE bug found in this version of php.
