Tech_Supp0rt: 1 (Tryhackme)

hac#
InfoSec Write-ups
Published in
4 min readApr 16, 2022

Hack into the scammer’s under-development website to foil their plans.

Hello Amazing Hacker’s this is Hac and today we will be doing Tech_Supp0rt: 1 From Tryhackme it’s and easy box so let’s start hacking ……

We will start with Nmap Scan:-

From the above scan we found that four port’s are open 22 (ssh), 80(web-server), 139,445(smb) . There is a small trick to identify the OS (operating system) without nmap by using ping (yes ping) . By checking the ttl (Time to live) by default windows has a ttl(Time to live) of 128 and for Linux it’s something in the range of 64.

Now i will check port 80 because it has larger attack surface .

Default Apache2 page

Now I will check it’s source code because in CTF’s you can find some juicy stuff There .

checking source code

I ran gobuster against it

But it was of no use because /wordpress was a rabbit hole .

After that I checked SMB .

“websvr” looks interesting if we have write access on that share we can put our Reverse Shell . Sadly we don’t have write access :(

we don’t have write perms :(

But we have got “enter.txt” So let’s have a look at it .

On checking enter.txt

we got a new dir “/subrion” and admin creds but looks like we need to decode the password . As Always our best friend cyber-chef will Help Us.

decoding password

Let’s check “/subrion/panel” which we got form “enter.txt”

on checking port 80 /subrion/panel

We have The Cms name and version so it’s better look for an exploit .

checking for exploit on searchsploit

I am more interested in “Subrion CMS 4.2.1 — Arbitrary File Upload” because it’s easiest way to get initial foothold on the box . We can download the python script by using “-m” .

downloading the python script

We can take a look at python script to understand what exploit is actually doing .

checking python script

Let’ s run the python script and we have got the shell let’s goooo bois ……….

Got shell as www-data

But wait a minute we are pro 1337 heker right ??? So let’s try manual way to get shell .

First login into “/subrion/panel” with creds which we have got earlier .

/subrion/panel

After that we need to navigate at content > upload “/subrion/panel/uploads

After that we will create a “.phar” file with our php-revershell then we will upload it .

Now we have got shell (Good Job) but game is not over yet , need to escalate our priv’s to user > root . We Know that , There is word-press which can contain password for database so let’s check that folder ( /var/www/html/wordpress) .

Anddd we got the username and password for MySql database . But we can try that password on user “scamsite” And we are in ……

Now we need to escalate our privs to root user . If we do sudo -l we can run “/usr/bin/iconv”

Let’s check our one of our best friend for privilege escalation after linpeas which is gtfo bin .

And we got root flag

I hope you liked this write-up for Tech_Supp0rt: 1 (Tryhackme) I hope you learned something new ,If you have any question or any feedback dm me on twitter hac10101

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by hac#

eJPT | HTB CBBH | CompTIA Pentest+

No responses yet

What are your thoughts?