Agent T — TryHackMe Walkthrough
Something seems a little off with the server.
You can find the link to TryHackMe Room below
Task 1 : Find The Flag
Agent T uncovered this website, which looks innocent enough, but something seems off about how the server responds…
After deploying the vulnerable machine attached to this task, please wait a couple of minutes for it to respond.
Answer the questions below
What is the flag?
Alright, first things first we can start this off with a nmap scan and directory busting and what not, but the descriptions literally scream that this is a web server and the Question Hint tells us to Look closely at the HTTP headers when you request the first page…
taking this into consideration, to view the headers we have many options,
We can either load the website and see from developer options: (granted the website is hosted on port 80, if it fails we can nmap away!)
Or we can go all crazy over it and use burpsuite to intersect the traffic : (how to do that is another discussion)
Or we can use the http command line package to send out a simple GET request from terminal (I just sent a get request without parameters as I was lazy :D ) :
So, everything literally screams that this server is using PHP 8.1.0-dev package which is a good thing for us and a bad thing to the server admin ;)
this is where google comes into rescue :
you can read all about the exploit here >>
After this everything would be self explanatory, download that POC and run the file to get a reverse shell ;)
There are two ways to get this done as well, looks like I used the not so traditional way and just landed myself a shell, not a reverse shell,
I literally ‘cat /flag.txt’ where the author provided us with a more flexible reverse shell option as well, I’ll walk you through both :)
You might be able do this manually as well, which I’m not hoping to discuss here, yet
This short exploit script backdoor_php_8.1.0-dev.py uses the backdoor to provide a pseudo system shell on the host. Find it on Exploit DB.
You can simply download the backdoor shell spawn from above and try this the hard way :
Or download the reverse shell POC script :
This short exploit script revshell_php_8.1.0-dev.py gives a reverse shell on target.
And there you have it ;)
If you liked this content, follow me on medium to help the algorithm :)
