Agent-T TryHackMe CTF writeup
Beginner-friendly CTF Agent T Published on TryHackMe Created by ben, JohnHammond, cmnatic, blacknote, and timtaylor. Let’s boot up the machine And Start Hacking!!
A machine may take around 1–2 minutes to start.
Let’s start with Nmap Scan.
# Nmap 7.80 scan initiated Sat Aug 6 10:22:21 2022 as: nmap -Pn -sV -sC -oN normal -A -vv 10.10.144.232
Nmap scan report for 10.10.144.232
Host is up, received user-set (0.15s latency).
Scanned at 2022-08-06 10:22:21 IST for 25s
Not shown: 999 closed ports
Reason: 999 conn-refused
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack PHP cli server 5.5 or later (PHP *.*.*-***)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Admin DashboardRead data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 6 10:22:46 2022 -- 1 IP address (1 host up) scanned in 25.89 seconds
We have version disclosure of PHP *.*.*-***
run searchsploit PHP *.*.*-***
we have User-Agentt Remote Code Execution with
searchsploit -m php/webapps/4****.pyget RCE file and have a look inside.
It is sending an extra Header called User-Agentt with system commands & it’s getting executed!!
Let’s fire up the burp suite and reload the page and intercept a request, Add User-Agentt with the id command and forward the Request
We are successfully able to execute the system command!!
let’s move on to gaining shell, Send the same request to the repeater
encode the reverse shell into base64 and start the listener and pass this command We Got Shell!!
echo bash64data | bash64 -d | bash
hope you like this CTF Walk through and thanks for reading it
happy hacking! ❤
