TryHackMe: Agent T Writeup
Level: (very) Easy
Link: Agent T
Highlight: This is a simple machine in which we abuse the PHP backdoor to gain RCE
Enumeration
This is very simple, and does not need much enumeration. We know port 80 is open. I ran a nmap
scan on this port to find out what service it was running.
We see that the http server is running on PHP 8.1.0-dev
Alternatively, you can also find this by looking at the response by setting up Burp proxy.
The “dev” tag in the PHP 8.1.0-dev caught my eye, and when I searched for it, I found out that it has a backdoor which allows RCE.
Exploitation
This part too is very simple and straight-forward.
I searched for PHP 8.1.0-dev on exploit-db and found the exploit: https://www.exploit-db.com/exploits/49933
I downloaded it and ran it against the http server, and I had the root shell.
Now to get the flag..