Tech_Supp0rt: 1

A detailed writeup of the Tech Support: 1 Room on TryHackMe

Tech_Supp0rt: 1TryHackMe

1. I visited the given IP 10.201.97.23 and found the following default Apache Web page.

   
2. Didn't really find much here. Hence, I ran a TCP scan via Nmap.

   Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-25 12:57 EDT
   Nmap scan report for 10.201.97.23
   Host is up (0.62s latency).
   
   PORT    STATE SERVICE     VERSION
   22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
   | ssh-hostkey: 
   |   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
   |   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
   |_  256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
   80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
   |_http-server-header: Apache/2.4.18 (Ubuntu)
   |_http-title: Apache2 Ubuntu Default Page: It works
   139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
   445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
   Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
   
   Host script results:
   | smb2-security-mode: 
   |   3:1:1: 
   |_    Message signing enabled but not required
   | smb-security-mode: 
   |   account_used: guest
   |   authentication_level: user
   |   challenge_response: supported
   |_  message_signing: disabled (dangerous, but default)
   |_clock-skew: mean: -1h49m58s, deviation: 3h10m29s, median: 0s
   | smb-os-discovery: 
   |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
   |   Computer name: techsupport
   |   NetBIOS computer name: TECHSUPPORT\x00
   |   Domain name: \x00
   |   FQDN: techsupport
   |_  System time: 2025-09-25T22:27:36+05:30
   | smb2-time: 
   |   date: 2025-09-25T16:57:33
   |_  start_date: N/A
   
   Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
   Nmap done: 1 IP address (1 host up) scanned in 25.04 seconds

3. We have SMB running on the server.

SMB Enumeration

1. I listed the shares available on the target.

   
2. I enumerated the websvr share as follows

1. This seemed interesting. I listed out the contents of enter.txt file.

1. These credentials were for Subrion. I looked it up online and turns out that Subrion was a CMS. The next obvious step was to crack the password.

2. I used CyberChef to crack the password.

1. There was a hint in the message in the enter.txt file that the password was cooked using some magical formula hence I took the clue and obtained Scam2021 as the decoded pass.

Web Enumeration

1. I ran a directory scan on the target and obtained the following subdirectories.

   /wordpress
   /test

2. /wordpress subdirectory had a very basic website as follows.

1. scary-lookingAnd /test had a bunch of those scary-looking fake popups.

   

I found nothing of use on either of the pages. Hence I went back to the enter.txt file and thought of enumerating Subrion CMS. My first step was to take a look at its official repository. https://github.com/intelliants/subrion

1. I checked out the robots.txt file in the repository and found the following directories that crawlers weren't allowed to crawl.

1. Here the panel subdir was there hence I tried visiting /subrion/panel on the target.

1. I used the credentials obtained before here and got access to the dashboard.

1. I looked around the panel but found nothing useful. After that, I looked up some exploits online for Subrion and found the following Python script. https://www.exploit-db.com/exploits/49876

2. I ran the exploit as follows and gained a web shell.

1. I enumerated throughout the machine and found credentials in a wp-config.php file in /var/www/html/wordpress/wp-config.php.

1. I tried out the above credentials in the WordPress site's admin login and obtained access to the dashboard.

1. I looked around but it turned out that there was no use of this WordPress dashboard.

2. I viewed the /etc/passwd file and found a scamsite user.

Now, to be very honest, I had no idea that the password found in the wp-config.php file could be used to gain access to the target via SSH. Like, seriously. The password given is already listed out as a credential for MySQL and yet it worked for WordPress. There was no way one could figure out that the same password could be used to gain initial foothold on the target. I had to refer a write-up for this step. But anyways..

Initial foothold and Root Flag

1. I used the password ImAScammerLOL!123! for user scamsite and gained access to the target via SSH.

Bingo!

1. I checked the commands we could run as sudo using sudo -l and found the following.

1. As usual, I went on GTFO Bins and found the following approach for iconv

https://gtfobins.github.io/gtfobins/iconv/#sudo

LFILE=file_to_read
./iconv -f 8859_1 -t 8859_1 "$LFILE"

4. I applied the above method and obtained the root flag

Yay!