Skip to content

Agent T Write-up

Agent T is a short and easy room from TryHackMe. You can find it here if you want to give it a shot before reading this write-up.

Apparently someone named Agent T uncovered a website and we are tasked with figuring out what is wrong with it. He seems nice.

Agent T image showing a guy wearing a suit and headset
Agent T

Enumeration

As usual we start with an nmap scan of the target.

nmap code: "nmap -sV -v [ip address]"
nmap code

This scan only finds one port open.

nmap result showing port 80 open and running php 8.1.0-dev
Nmap result

As usual, when there is an http service open on port 80 we can plug the ip address into our browser. Doing so brings us to an admin dashboard. Usually that would be great news! However, this time the admin page doesn’t seem to do anything. Clicking on the various links either brings us to a “not found” page or does nothing. Strange.

Just like in the room Skynet, I ran gobuster to see if there were any other pages but this time it only returned an error:

Error: the server returns a status code that matches the provided options for non existing urls...To continue please exclude the status code, the length or use the --wildcard switch

Weird. Next, I tried the –wildcard switch and it found a lot of pages, none of which really exist. That seemed like a dead end so instead I tried to inspect the page in my browser using F12 (I’m using Firefox). From there I learned there are no cookies I can play with and watching the network tab load didn’t really tell me anything I didn’t already know. Well, that seems to be all the obvious enumeration I can see right now. Lets google a few things we learned.

Exploitation

From our Nmap scan we see we have a dev version of php 8.1.0, which is interesting. Normally we don’t see dev versions of things on websites. Googling php 8.1.0-dev exploit brings up an exploit-DB page. This looks promising! It’s even named Agent T Remote Code Execution. Nice, now we know where the name of the room comes from! Reading the exploit page tells us there is a backdoor that allows us to execute arbitrary code by modifying the user-agentt header and gives us a python script to try.

I tried the python script against our website and it just hung the first time. After looking through the code and comparing it to the header from the website inspection I realized the line:

User-Agent[my browser and system information]
website header

didn’t match the heading in the python code. Copy and pasting the correct heading information from the website into the python code gave me a pseudo shell.

pseudo code image showing "id" as root
pseudo system shell

Unfortunately, the pseudo shell doesn’t seem to let me change directories. Fortunately, we can still use the “find” command to search. Using “find / user.txt” listed a whole lot of files, none of which are called user.txt, but amusingly the last one in the list is /flag.txt! Running “cat /flag.txt” gives us our flag.

Search failed successfully.

GIF by MOODMAN - Find & Share on GIPHY

via GIPHY

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.