TryHackMe WriteUp: Agent T

Challenge Name: Agent T by John Hammond

Challenge Name: Agent T by John Hammond

Let’s spin up the machine…

Enumeration

We need to check for available services on the host. Any misconfiguration on these services will let us hack the box successfully.

sudo nmap -A -Pn -T5 10.10.181.117

Now, check port 80

go through the website and see if it takes any input.

Does not take any input

Check the headers with Burp

We see “PHP/8.1.0-dev” on the Resp. Let’s check for any vulnerabilities.

Exploitation

An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.

Exploit: https://github.com/flast101/php-8.1.0-dev-backdoor-rce

Before cloning the Repo, check if the exploit has any malicious code — ;)

code looks legit
We got command execution

Get Flag


Thank You for reading. Knowledge is power, so keep gaining!😈

Follow me on GitHub! and Here for more knowledge.