Tech_Supp0rt-TryHackme Writeup
This is my writeup to to Tech_Supp0rt CTF on TryHackMe. You learn how to exploit a SMB share, use some common PE tactics and find exploits on the internet.
1. Enumeration
I started this challenge with a simple port scan.
nmap $IP
- $IP is the IP address of the box
As you can see there are four open ports .
ssh
We can get a shell if we find a username or a password.
http
A webserver. We should take a closer look on this as soon as possible.
smb (port 139/445)
An application used for file sharing. There could be some useful information, if we have access to a share.
2. Checking SMB
We can use a tool called smbmap, to check out the service and find shares, we can access.
smbmap -H $IP
Hmmm, this is interesting. There is a share called websvr and we can read it. I’d say, this sounds like a plan. So we can access this share using a tool called smbclient.
smbclient //$IP/websvr
Just press enter, when asked for a password.
So we have access. And if you know, how to use ftp, then you can interact with smb as well.
I found a file (enter.txt) on the server and downloaded it using the “get” command. Let’s look at it:
What do we know now:
- There is a website /subrion (it’s a content management system)
- We have a username and a hash or something for it
- They use wordpress as well
3. Getting a shell
I think we should take a look at the /subrion website.
Hmm, I tried to access it, but it is loading for ever. So I tried if I can access some subdirectories. Using ffuf, I discovered some sites:
ffuf -u http://$IP/subrion/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -fw 20,1
I used some filters, because there are a lot false positive websites.
And boom. There it is.
Robots.txt gives us some more websites. /panel looks interesting, since it is mentioned in the note from before.
There it is, an admin panel to manage the CMS. I tried SQL injection, but sadly no luck. Then I remembered something else:
cooked with magical formula
Is this a reference to CyberChef? I tried it and…
we got a password. So I logged in as admin.
Oh yeah, it worked. But how do I get a shell? After some googling I found this:
I downloaded and executed it and there we go:
We are in, but only as www-data. So it is time for:
4. Privilege escalation
First I spawned a python reverse shell and upgraded it, to work more comfortable.
Yes, this looks better.
Then I tried the basics PE methodes. Sudo, SUID, Crontab, Linpeas. But no luck with none of them. But then I remembered, that there is wordpress installed. And therefore there have to be a wordpress config file, containing a password.
Wohoo, I was right.
I tried this password and boom, I am scamsite, the other user.
5. Getting the root flag
After changing user, PE starts again. Sudo, suid, cront… wait what is this?
So, I can run “iconv” as root. I took a quick look at GTFO and found this:
I tried this with /root/root.txt and …
Got the root flag.
Congratulation, the Challenge is solved!!!
6. But…
There is more. We want to have a shell. So I scrolled up on GTFO and found this:
Meaning if I put sudo in front of iconv, I could possibly rewrite every file on the system.
For example we can edit /etc/passwd and put a new password for the root user.
- generate new password using openssl
- copying /etc/passwd
- changing x with the generated password in the root line
- su root
And now, we are happy with the root shell!!