This is the first CTF machine I built which is now live on VulnHub. The difficulty is Easy and can be solved by anyone with basic enumeration skills and the ability to understand exploits.
This machine is inspired by Indian tech support scammers. It acts as a server which is under maintenance that hosts their fake tech support website. Let us now PWN these scammers!
Enum
Let us start with a nmap scan
Nmap -sC -sV [IP]
We see that Port 80, 22, 139 and 445 are open.
Let us start enumerating port 80. It shows the default Apache2 page.
We find some interesting directories on doing a dirbust.
On going to the test directory, we find an easter egg. The error page popup scammers use to fool people saying that their computer is infected.
Let us now look at the wordpress page. This hosts the fake tech support website.
A very important rule to remember is to run a wpscan on this wordpress page.
wpscan --url http://[ip]/wordpress/ -e u,vp,vt— url: the url
- e: enumerate
- u: users
- vp: vulnerable plugins
- vt: vulnerable themes
The only interesting thing we find in the scan it the username.
But we still don’t have a password. Now that we have reached a dead end on Port 80, let us move on to the smb service.
smbmap -H [IP]
We find a read able share called websvr. Enumerate!
smbclient \\\\[IP]\\websvrWe find a file called enter.txt in there, download it using the mget command.
On reading the file, we are able to gather some sensitive information. We now know that there is a dir called /subrion which hosts another site and isn’t working and the sysadmin is supposed to edit it from the panel. And we also get creds for it which seem to encoded.
On running dirb in the /subrion dir we find multiple redirects but we do find a robots.txt file in it.
Exploitation
Now we find a dir called panel in the list. On going to /subrion/panel we it asks us for subrion cms’s creds. We are also able to get some sensitive info like the version of the cms which is 4.2.1.
We do find an exploit for this version in exploitdb but it is an authenticated exploit.
But we do have it’s creds which is encoded. We aren’t sure of the encoding used in it, it might be encode multiple times or by different encoding algorithms. This is why we will be using cyberchef’s magic module.
Let us login using those creds. And run the exploit from exploit db. If you have tried this, you know that the exploit doesn’t work, it gives out a lot of errors as it is a very recent exploit. It is theoretically correct but has a lot of bugs. You can try to fix the exploit or understand what it does and run it manually.
On reading the code, we learn that the script uploads a reverse shell in the for of .phar which is an alternative to php as it it blocked with the get system code. This is quite easy and we can do this manually.
Make a new file and name it shell.phar with the reverse shell code of your choice.
Upload it from the uploads tab. Then right click on the file and click on get info to get the direct link.
And now we have RCE!
Now intercept this request with Burpsuite and replace the command with a payload of your choice. Change the ip and port and make sure you URL encode it by selecting it and running CTRL+U.
We now have a shell and upgrade it by running…
python -c 'import pty; pty.spawn("/bin/bash")'It is a good time to look at the config files of the wordpress website we previously found. Go to /var/www/html/wordpress/ and look into the wp-config.php file.
On looking into the /home directory we find the dir for the user scamsite.
Let us try to use the same password we found on the config file for scamsite.
su scamsiteOR the wiser option is to login with ssh for a better shell.
Let us see if the user has been given any sudo privileges.
sudo -l
The user can run the binary iconv as sudo. Let us look at the GTFO Bins page for the exploitation.
With this binary we can only read and write file with sudo. You can try reading the root’s id_rsa key but that won’t work because that is disabled. So we must try to PrivEsc using the write privileges. We have many options here.
We can write…
- the authorised_keys file in the root’s .ssh directory with our id_rsa.pub key(This may not work on machines that have root login disabled from ssh, this can be verfied from looking into /etc/ssh/sshd_config file. But it will work in this machine as it it enabled)
- the /etc/passwd file(replace the x in the file for root with a password we generated)
- the /etc/cronjob file(add a task which sends nc shell to another port which is run by root)
Options 2 and 3 are longer compared to one, so in this writeup we will priv esc using method 1.
Copy your id_rsa.pub file from [user dir]/.ssh/id_rsa.pub. If you don’t have it run ssh-keygen. Follow the instructions in the GTFO Bins manual.
If your public key(id_rsa.pub) is on a remote machine’s authorised_keys file, then you can login to their account with ssh without a password.
LFILE=/root/.ssh/authorized_keys
echo "[your key]" | sudo iconv -f 8859_1 -t 8859_1 -o "$LFILE"
I printed out my public key in the bottom left pane. Ran the priv esc commands in the top pane and logged in as root from ssh without a password.
PWNED!
I hope you enjoyed this writeup and found this helpful, most importantly enjoyed pwning the machine and learnt something in the process.
Feel free to publish a writeup and share your knowledge and tactics with the world.
Also educate your family about these scams so they don’t become victims here.
Tech_Supp0rt:1 pwned!, Tech_supp0rt:2 coming soon!
