This is a writeup for the Tech_Supp0rt machine from the TryHackMe site.
Enumeration #
First, let’s start with a scan of our target with the following command:
nmap -sV -T4 -Pn 10.10.222.86
Four TCP ports are discovered:
- 22/tcp : SSH port (OpenSSH 7.2p2)
- 80/tcp : HTTP web server (Apache 2.4.18)
- 139/tcp : Samba (3.X - 4.X)
- 445/tcp : Samba ย (3.X - 4.X)
Exploit #
First, I start by scanning the site’s folders.
We find 2 interesting files:
After some research on the 2 sites, I decide to look at the smb server. For that I try to connect anonymously.
It works and I can get an enter.txt
file.
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website
IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->
In this file we learn the existence of another site in the Subrion
folder, but in addition we are provided with credentials for it. After testing, the password doesn’t seem to work. So I make a scan of the file to see if I can find something interesting:
A robots.txt
file but nothing special in it:
User-agent: *
Disallow: /backup/
Disallow: /cron/?
Disallow: /front/
Disallow: /install/
Disallow: /panel/
Disallow: /tmp/
Disallow: /updates/
So I try to decrypt the password with CyberChef. As soon as I propose the string of characters, CyberChef decodes the following string of characters: Cyberchef
So I try to use this password.
Now that I am connected and I know the version of Subrion, I start looking for exploits to have a reverse shell.
โโโ(d3vyceใฟkali)-[~]
โโ$ searchsploit subrion 4.2.1
---------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting | php/webapps/45150.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Quickly I find a file sending exploit that would allow to get a reverse shell. I download it with the following command:
searchsploit -x php/webapps/49876.py > exploit.py
Then I run it with the following command:
Another solution to have a reverse shell would have been to use the upload page present in : content -> upload. While trying this solution I noticed that the version with the .php
extension does not work but the .phar
version does:
Searching I find that the first flag is held by the user scamsite
. So I go to the wordpress folder to see if I can find information in the configuration files:
[...]
/** MySQL database username */
define( 'DB_USER', 'support' );
/** MySQL database password */
define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
[...]
So I try to connect via SSH with this password and it works. So I can recover the first flag.
Privilege escalation #
I start by looking at the sudo permissions:
My user has the right to execute the iconv
command with root rights, so I’m looking for exploits on the GTFObin site: iconv.
There is a possibility to write in a file with this command. I will write my public RSA key in the authorized_keys
to be able to connect in SSH:
echo "id_rsa.pub" | sudo iconv -f 8859_1 -t 8859_1 -o /root/.ssh/authorized_keys
I now have a root shell and can retrieve the last flag.
Recommendations #
To patch this host I think it would be necessary to perform a number of actions:
- Do not allow anonymous access on an SMB server
- Do not leave passwords in accessible files
- Do not leave executable applications with sudo root if not necessary