Agent T — TryHackMe
Let’s start up the machine and head to the ip. In the browser we can see it’s an admin dashboard, however most of the buttons and links weren’t loading weird though. One page did load named blank.html and it’s listed under different user, nothing useful here, next up is nmap scan.
sudo nmap -A <ip>
From the results we can see it’s on a php server, now let’s see the request and response on burpsuite.
PHP version 8.1.0 is present, and googling it found out that it was released with a backdoor, the exploit is present here — https://github.com/flast101/php-8.1.0-dev-backdoor-rce. Let’s run the script and we are root…
At last we found the flag.txt and got the flag by cat command..
Thank You!!
Happy Hacking 🦇
