Agent T

Something seems a little off with the server.

TLDR

Exploit PHP/8.1.0-dev vulnerability and create remote shell.

Solution

Start by port scanning the IP with nmap:

• nmap 10.10.10.10

• Port 80 is open and running webserver.

After looking at the website I check what the hint was:

• Look closely at the HTTP headers when you request the first page…

Check HTTP header with curl:

• curl http:// 10.10.10.10/ -v

• or we can see this information from the website also.

Found framework version

• X-Powered-By: PHP/8.1.0-dev

As I don’t figure any other vulnerability I check what exploit-db has to offer.

• found exploit
• other exploit

using the found exploits remote shell can be created to the webserver.

I open nc listener on my machine

• nc -lvp 4444

then execute python code mentioned above.

Remote Shell Connection Done

• id command see we are root

Find the flag.txt

• $find / -name "flag.txt"
  • /flag.txt - file is located in root
• cat flag.txt - we got the flag

FLAG: flag{4127d0530abf16d6d23973e3df8dbecb}

Nice room :) Interesting story behind the exploit. Great to learn to use exploit-db in practice. Got some problems trying to connect to website after “curling” it as it was busy waiting something. Also was nice to see how the room name itself was a hint for the challenge, brilliant.