Tech_Supp0rt: 1
https://tryhackme.com/room/techsupp0rt1#
Last updated
https://tryhackme.com/room/techsupp0rt1#
Last updated
By Jacvbtaylor
Starting with an mnap scan, I find 4 services running on an Ubuntu server:
First viewing the webpage shows a default index.html file for an Apache/2.4.18 (Ubuntu) Server at 10.10.72.90 Port 80. I figured there must be more to this port so I began a dirb attack to look for hidden folders.
While that ran, I looked at the other open ports, specifically for SMB and was able to get more information about the server. Two of the sharenames stood out to me: websvr and IPC$.
I was able to connect to both of those sharenames with a null login and get something off of the server
Looking at the file I extracted, I found some good clues! a supposed site made with subrion, a wordpress site, and some credentials for the subrion panel.
During this time, dirb was able to locate some information which lead me to these two webpages on the target server:
There are a few directions I can go at this point, but first I want to see if I can un-cook the admin credentials. It was pretty easy to figure out that the password was base encoded, but figuring out WHICH and in what order, took some time. With that being said, it's easy to tell if you have the wrong encoding because you will receive an error such as "base32: invalid input".
I found that decoding from base 58 > 32 > 64 outputs some readable text: Scam2021
I located the wordpress login page http://10.10.72.90/wordpress/wp-login.php and tried the credentials I found so far, but no luck getting in. I will save this for later and see if we can find the subrion login first.
The enter.txt file mentioned that "/subrion doesn't work" and to "edit from the panel".
I tried visiting 10.10.72.90/subrion/ and saw it was trying to redirect to http://10.0.2.15/subrion/ I manually entered /panel and was greeted with this beautiful login screen:
I have never used or heard of this CMS builder but everyone knows how to use a log in page so I gave it a shot using admin:Scam2021 .... it hung for about 15 seconds.. and then it worked! I was on the dashboard.
I was slow moving around in here at first since it was all so new to me, but eventually found my way to the redirect issue. I changed the IP in the Site URL from 10.0.2.15 to 10.10.72.90 and saved the changes
After saving these changes, I visited the site, which read "Error 404".
Having back and frontend access to this site was exciting. There wasn't much going on with the site but that meant I should be able to build on it. That's what CMS GUI's are for. I navigated to CONTENT > Uploads and figured out how to add files.
Even though I was able to upload a php file, I wasn't able to view it. I wanted to be able to have some sort of backdoor or cmd capability via php. Googling "php file extensions" showed me a possible file extension to use: phtml. I gave this s shot but ran into the same error. Next extension to try: phar
My machine timed out so I was assigned a new IP and had to create a new file, but the phar extension worked!
Visiting the file in the browser displayed a blank page, which for me is exciting. The code
Is one I use often to run commands from the webpage URL. I tested this out using a URL encoder:
My permissions as the www user seem EXTREMELY limited. I had 0 sudo privileges, could not locate any sudo users with getent group | grep sudo and found no shared sudo and SUID programs with find / -perm -u=s -type f 2>/dev/null
My next best move is to try and gain a shell. I generated a webshell using WWW and added the code to the subrion panel to a file called shell.phar
Although the webshell works, it is still unclear if I am going to be able to escalate privileges, but I was at least able to learn about new users on the system, such as root & scamsite.
After accepting I was stuck as the www-data user, I thought about more accessible information that I haven't gotten ahold of yet. This lead me to the WordPress login. Using the webshell, I viewed the wp-config file and was able to grab the database username and password.
I used this for the wordpress login and got in! Logically, the first thing I thought to do was to deface their scamming websites.
So far I have gotten system access as the www-data user, removed and added files, and extracted confidential information from their server. This means their confidentiality, integrity and availability has been exploited, but this wasn't enough yet. I needed persistence and escalated privileges in order to bring the scammers down completely.
Since I still had access to the WordPress, I wanted to see if I could gain system access through there as well. To start, I uploaded the WP File Manager plugin to the WP dashboard so I could upload a PHP reverse shell.
The easiest file to do this to was the index.php. Initially I was unable connect, which is what you see in the webpage response, so I added a UFW rule to allow that IP to that port, and I was granted a shell!
Using the reverse shell I injected into the wordpress site didn't get me very far, as per usual of being limited to my user privileges. I went back to the nmap scan and thought about port 22. I could brute force SSH since I know there are two users, root and scamsite. But not having a promising password didn't seem like it would be worth the effort. I tried connecting via SSH using scamsite as the user. Using the password from the WP DB, I was able to get in!
Feeling just as stuck as I was as the www-data user, I decided to check something I had forgotten about before sudo -l
This lead me toward my only option to be able to gain access to files I shouldn't be allowed to normally access. The question was, which command is going to allow me to escalate privileges? I discovered I was able to read files with sudo privilege using iconv. I previously set LFILE=/etc/shadow so I could try and crack root's password to gain full access to the server. The chances of cracking that hash are slim but it was still worth a shot. While that ran, I set LFILE=/root/root.txt and got the flag.
John the ripper didn't catch the password but using my sudo privilege, I was able to become the root user
From here, I could gain persistence by adding a new user, an additional ssh port, and many other tricks to continually shut the scamming operation down.
iconv
