Php

Sometimes the vulnerability is not in your target’s code - it is in their supply chain. Knife is a good example of what happens when a poisoned release slips through. Machine info Name Knife Platform HackTheBox OS Linux Difficulty Easy TL;DR A web server running PHP 8.1.0-dev - a version that shipped with a backdoor - allows arbitrary command execution via a custom HTTP header Initial shell as james, sudo -l reveals the knife CLI can be run as root without a password sudo knife exec -E "exec('/bin/bash')" drops a root shell immediately Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.68 ...

Bashed is a good reminder that developers are the best pentesters’ allies - a web shell left in /dev does most of the work for you, and the path to root runs through a misconfigured sudo and a predictable job. Machine info Name Bashed Platform HackTheBox OS Linux Difficulty Easy TL;DR FeroxBuster finds a /dev directory hosting phpbash.php - an interactive PHP web shell Shell as www-data, sudo -l reveals we can run anything as scriptmanager without a password A job runs /scripts/test.py as root - overwrite it with a reverse shell payload to escalate Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.0.0 ...