Open in app

Sign in

Write

Sign in

Tech_Supp0rt: 1 | TryHackMe

Nihir Zala
4 min readMar 14, 2023

--

Hack into the scammer’s under-development website to foil their plans.

Hello, Amazing Hacker this is Hac and today we will be doing Tech_Supp0rt: 1 From Tryhackme it’s an easy box so let’s start hacking ……

We will start with Nmap Scan:-

From the above scan, we found that four ports are open 22 (ssh), 80(webserver), and 139,445(sub). There is a small trick to identify the OS (operating system) without nmap by using ping (yes ping). By checking the TTL (Time to live) by default windows has a TTL (Time to live) of 128 and for Linux, it’s something in the range of 64.

Now I will check port 80 because it has a larger attack surface.

Default Apache2 page

Now I will check itsits source code because u can find some juicy stuff Thin CTF'sere.

checking source code

I ran go buster against it

But it was of no use because /WordPress was a rabbit hole.

After that I checked SMB.

“Website” looks interesting if we have to write access on that share we can put our Reverse Shell. Sadly we don’t have write access :(

we don’t have write perms :(

But we have got “enter.txt” So let’s have a look at it.

On checking enter.txt

we got a new dir “/subversion” and admin creds but it looks like we need to decode the password. As Always our best friend cyber-chef will Help Us.

decoding password

Let’s check “/subversion/panel” which we got from “enter.txt”

on checking port 80 /subversion/panel

We have The Cms name and version so it’s better to look for an exploit.

checking for exploits on searchsploit

I am more interested in “Subrion CMS 4.2.1 — Arbitrary File Upload” because it’s the easiest way to get an initial foothold on the box. We can download the python script by using “-m”.

downloading the python script

We can take a look at the python script to understand what the exploit is doing.

checking python script

Let s run the python script and we have the shell let’s go bois ……….

Got shell as www-data

But wait a minute we are pro-1337 hikers right ??? So let’s try the manual way to get a shell.

First login into “/subversion/panel” with creds which we got earlier.

/subrion/panel

After that we need to navigate to content > upload “/subversion/panel/uploads

After that we will create a “.phar” file with our php-revershell then we will upload it.

Now we have got shell (Good Job) but the game is not over yet, need to escalate our prices to user > root. We know that, There is WordPress which can contain passwords for databases so let’s check that folder ( /var/www/html/WordPress).

And we got the username and password for the MySql database. But we can try that password on a user “scam site” And we are in ……

Now we need to escalate our privs to the root user. If we do sudo -l we can run “/usr/bin/icons”

Let’s check one of our best friends for privilege escalation after lines which is gtfo bin.

And we got root flag

I hope you liked this write-up for Tech_Supp0rt: 1 (Tryhackme) I hope you learned something new, If you have any questions or any feedback dm me on Twitter ZalaNihir.

Tryhackme
Tryhackme Walkthrough
Cybersecurity
Investigation
Osint Investigation

--

--

Nihir Zala
Nihir Zala

Written by Nihir Zala

38 Followers
1 Following

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams