How to Solve Tech_Support:1 on TryHackMe: A Step-by-Step Guide

0xodinx

TECH_SUPPORT01 TRYHACKME WRITE-UP


TECH_SUPPORT01 TRYHACKME WRITE-UP - dp1h3r0x



Problem :-


# Find the root.txt Flag.


Solution :-


Step 1 :-  


                               First, Enumeration the target using nmap.



Enumeration the target using nmap - dp1h3r0x





   After the scan you can see only 22,80 and 445 port is open. But          port 445 is smb , let's enumeration the smb .


enumeration the smb





Step 2 :- 

                 Let's go using smbclient to find anything is import. Select the             [websvr] path is very useful.


see a suspicious [enter.txt] file



    You see a suspicious [enter.txt] file on the picture. Let's copy the        file using 'get; cmd. After this  read the file.


found a username and password -dpiherox


    I found a username and password , and most import this use only        the [Subrion creds]. You notice that a dir. is '/subrion'. 



Step 3 :- 

                           Let's go to the browser and check the website .


apache webserver is running

 

    You will see the apache webserver is running. Let's brute force           the dir.

 

found the '/test/' directory and the '/wordpress/wp-login.php' page

 


   See, I found the '/test/' directory and the '/wordpress/wp-login.php'      page. Be sure to check these pages as well.



This page is a phishing page.





   This page is a phishing page , nothing to find special here. Let's         check another . but I can use some cmn creds to bypass the wp-         login, but failed.


Step 4 :-  

                            Let's check the '/subrion' dir. that is find in [enter.txt] file.


found the 'panel' lo login using enter.txt username and password




   After go to the '/subrion' page, but nothing here, after fuzzing             the .... found the 'panel' lo login using [enter.txt] username and           password is 'admin' but password are encrypted. Then I decrypt         the password by CyberChef. That is 'Scam20121'


decrypt the password by cyberchef





   After access the panel , I was trying to upload a malicious php           shell. In the menu [content]-------->>>[uploads] see the pic, point       be note '.php' not allowed use '.phar' , successfully upload the shell.

 

Step 5 :- 

                               Let's set the listener, and execute the phpshell in                                   browser using the link path. 


set the listener, and execute the phpshell




   As you can see, I am accessing the shell, but I need to switch to a       valid user shell. Let's try it. You can see a wp-config.php file is           here. Let's read the file content.


I found a password of a user



   I found a password. But the user was not found. So, let's find out       the user.


identifying a valid username
 
After identifying a valid username, I used the password credentials    to log in via SSH. 


Step 6 :- 

                          This is time for dinner, to find out the root.txt flag, that's                      why i need to root access of this machine . And i found a                    dinner for me that binary '/usr/bin/iconv' no need to                             password , so i found a tech.


Found the flag TECH_SUPPORT:01 TRYHACKME ctf






Just set "LFILE=/root/root.txt" and run this  on  cmd using sudo        [./iconv -f 8859_1 -t 8859_1 "$LFILE"], and you see the top              picture that I found the flag.




THANK YOU FOR READING






Read More Blog........






0 Comments