Tech Support :Hack into the scammer’s under-development website to foil their plans. (THM-ROOM)
Room Overview:
- Room Link: Tech Support Room
- Tags: RCE, File Upload, sudo, custom
Reconnaissance:
A meticulous Nmap scan and subsequent Gobuster directory enumeration laid the groundwork. Notable findings included SSH, Apache, and Samba services. Gobuster unearthed intriguing directories, such as “/wordpress” and “/test.”
Nmap Scan Results:
- Port 22/tcp: OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
- Port 80/tcp: Apache httpd 2.4.18 (Ubuntu)
- Port 139/tcp: Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
- Port 445/tcp: Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Gobuster Directory Enumeration:
/wordpress/test
Information Gathering:
Exploration of an SMB server revealed a directory named “websvr” housing a text file with credentials for Subrion login. The “enter.txt” file outlined objectives, including creating a fake popup, fixing Subrion and WordPress sites, and provided Subrion credentials.
Subrion Exploitation :
Decoding Subrion CMS credentials
Username: admin
Passwd: 7sKvntXdPEJaxazce9PXi24zaFrLiKWCk -> base58 -> base32 -> base64 -> ‘clearTextPassword’
I used Searchsploit and Metasploit to look for exploits for Subrion. Since Subrion CMS had an Arbitrary File Upload exploit, I chose to use Metasploit to exploit the Subrion.
After setting up all the necessary parameters and running the exploit with Metasploit for Subrion CMS Arbitrary File Upload. I obtained a reverse shell.
After obtaining reverse shell access, I looked around the system and found the wordpress directory. There, I located wordpress-config.php, a juicy file that often contains the username and password for logging into WordPress.
With the aid of wpscan, I was able to determine the username for wordpress-login as “support” earlier, and after finding the wordpress-config file, I was able to obtain the password. These are used to access the WordPress website, but as they are linked to the localhost database, they are also typically used to access localhost.
Privilege Escalation:
I used SSH credentials to log in after discovering the localhost password in the WordPress configuration file.
SSH Creds:
uname: scamsite
passwd: “ScamLOL” (find-out 😆)
Since I now have access as a low-lever user (scamsite), we must escalate our privileges to root. Since we already know the user’s credentials, I tried using the “sudo -l” command and discovered that we can run iconv binary as root nopass (without password).
Conclusion:
The journey through the Tech Support Room showcases the intricacies of ethical hacking. From meticulous reconnaissance to exploiting vulnerabilities and strategic privilege escalation, this expedition provides valuable insights for aspiring ethical hackers. The flags captured are not merely digital trophies but represent a journey through the labyrinth of cybersecurity. Happy hacking!
