TryHackMe | Tech_Supp0rt: 1

Hack into the scammer's under-development website to foil their plans.

tryhackme.com

Reconnaissance

Ports open:

• 22
• 80
• 139
• 445

Finding a publicly exposed SMB share with smbmap, and connecting to it via smbclient:

# Enumeration
smbmap -H <ip>
# Connection & Retrieval of file/s
smbclient \\\\host\share

Interesting file found with encoded credentials, and using cyberchef’s magic decoding we get the password for a user (We don’t know yet what service credentials is this)

Enumeration / Access

In the file found on SMB, it reveals the presence of a CMS: Subrion

Enumeration at host/subrion we get the main panel for it, and subrion also has a */panel login page

Valid credentials for subrion panel.

(See Exploit for subrion RCE)

...

Logged in as www-html, we use linpeas to further enumerate internally, and in config files for Apache, Wordpress we found other credentials with an invalid user. We find at /home the user “scamsite” which we try to log in with succesfully with su scamsite

(See Privilege escalation)

Exploit

at

searchsploit subrion | grep (version)

We get an authenticated RCE exploit, which was used with username/password parameters set (It automatically spawned a shell as www-html)

Privesc

at sudo -l we find NOPASSWD:ALL for a binary called /usr/bin/iconv

at GTFObins we find iconv can be leveraged to read/write files with administrative privileges, and read the /root/root.txt file directly, no need to change users or add ourselves to %admin groups