Tech_Supp0rt: 1 (Tryhackme)

Hack into the scammer’s under-development website to foil their plans.

Hello Amazing Hacker’s this is Hac and today we will be doing Tech_Supp0rt: 1 From Tryhackme it’s and easy box so let’s start hacking ……

We will start with Nmap Scan:-

From the above scan we found that four port’s are open 22 (ssh), 80(web-server), 139,445(smb) . There is a small trick to identify the OS (operating system) without nmap by using ping (yes ping) . By checking the ttl (Time to live) by default windows has a ttl(Time to live) of 128 and for Linux it’s something in the range of 64.

Now i will check port 80 because it has larger attack surface .

Default Apache2 page

Now I will check it’s source code because in CTF’s you can find some juicy stuff There .

checking source code

I ran gobuster against it

But it was of no use because /wordpress was a rabbit hole .

After that I checked SMB .

“websvr” looks interesting if we have write access on that share we can put our Reverse Shell . Sadly we don’t have write access :(

we don’t have write perms :(

But we have got “enter.txt” So let’s have a look at it .

On checking enter.txt

we got a new dir “/subrion” and admin creds but looks like we need to decode the password . As Always our best friend cyber-chef will Help Us.

decoding password

Let’s check “/subrion/panel” which we got form “enter.txt”

on checking port 80 /subrion/panel

We have The Cms name and version so it’s better look for an exploit .

checking for exploit on searchsploit

I am more interested in “Subrion CMS 4.2.1 — Arbitrary File Upload” because it’s easiest way to get initial foothold on the box . We can download the python script by using “-m” .

downloading the python script

We can take a look at python script to understand what exploit is actually doing .

checking python script

Let’ s run the python script and we have got the shell let’s goooo bois ……….

Got shell as www-data

But wait a minute we are pro 1337 heker right ??? So let’s try manual way to get shell .

First login into “/subrion/panel” with creds which we have got earlier .

/subrion/panel

After that we need to navigate at content > upload “/subrion/panel/uploads”

After that we will create a “.phar” file with our php-revershell then we will upload it .

Now we have got shell (Good Job) but game is not over yet , need to escalate our priv’s to user > root . We Know that , There is word-press which can contain password for database so let’s check that folder ( /var/www/html/wordpress) .

Anddd we got the username and password for MySql database . But we can try that password on user “scamsite” And we are in ……

Now we need to escalate our privs to root user . If we do sudo -l we can run “/usr/bin/iconv”

Let’s check our one of our best friend for privilege escalation after linpeas which is gtfo bin .

And we got root flag

I hope you liked this write-up for Tech_Supp0rt: 1 (Tryhackme) I hope you learned something new ,If you have any question or any feedback dm me on twitter hac10101