# Knife! ## @author : M3tr1c_r00t  Knife is a easy linux box which on upon careful enumeration, there's an ucommon header in the site response which we use to get our reverse shell and gain user priviledges; and use gtfobins to get root user. ### Enumeration _**nmap scan**_  There's not much really in the nmap scan. <br> There are 2 ports open: ssh and port 80 http. ### Priv Escalation After forwading the sites, response into burpsuite repeater tab, i noticed there was an odd header in the response. <br> **X-Powered-By: PHP/8.1.0-dev** After a bit of recon, i found some pieces of information which helped me to be able to get a vulnerability and exploit it.  The X-Powered-By header provides information on the technologies being used by the webserver. After a bit more of recon ...  After inspecting the code on exploit db, we find out that the script sends a request after adding a new heading, "User-Agentt":zerodiumsystem('" + cmd + "')  Instead of using the script, i opted to do this manually so that i could get a bigger picture on what was happening.  I tried working with the curl command to see if i get a connection and boom! <br>Next up, lets get our reverse shell....  After we get our reverseshell, we are logged in as James. <br> Navigate to his home directory and you can get the user flag.  On running sudo -l to see what commands we can run as root, we note that we can run the knife binary as root. <br> Heading over to gtfobins, we find the suid of the knife binary....  And we are root! Get your root flag and done!  ### Socials @Instagram:https://instagram.com/M3tr1c_r00t <br>@Twitter:https://twitter.com/M3tr1c_root